Error 403 Access Forbidden persists on user directories in Tumbleweed

Hello Everyone: I am totally stumped at this point. I just installed Apache2 and set all the permissions for everything as instructed. (That is 755 for directories and 644 for files) on everything the Apache user is trying to access. I can see the main /srv/www/htdocs index.html in my browser, so the web server is running fine. It is my user directory (I am the only user) that still gets the 403 access denied error, and it is driving me crazy! I have tried resetting the permissions on that directory (public_html) to the same values as the /srv/www/htdocs directory, but it does not clear the error. This is Tumbleweed, so most things assume Leap that I have found on the Internet. Currently, all the permissions on the /home/user/public_html are set back to my user and I have given others and group read and execute permissions. Of course, at this time, the 403 still happens from my browser.

Hope someone can help!
Thanks in advance!
-Michael

Please show those file owners and permissions. Things like

ls -l /home/user/public_html

when I understand the place correct from your story.
And also show the apache configuration where it is defined that that place is a server root.
We want to see things and we do not want to depend on what you think things are.

Hello: Sure, Her is a directory listing for you. Here it is:
jmneedham@vulcan ~ : lsl
drwxr-xr-x@ - jmneedham 26 Mar 11:20 .cache
drwxr-xr-x@ - jmneedham 26 Mar 10:51 .config
drwxr-xr-x@ - jmneedham 24 Mar 16:04 .doom.d
drwxr-xr-x@ - jmneedham 24 Mar 16:10 .emacs.d
drwxr-xr-x@ - jmneedham 24 Mar 11:20 .epsonscan2
drwxr-xr-x@ - jmneedham 23 Mar 21:44 .gnupg
drwxr-xr-x@ - jmneedham 23 Mar 18:51 .local
drwxr-xr-x@ - jmneedham 24 Mar 16:35 .MakeMKV
drwxr-xr-x@ - jmneedham 23 Mar 18:01 .mozilla
drwxr-xr-x@ - jmneedham 24 Mar 07:10 .npm
drwxr-xr-x@ - jmneedham 23 Mar 18:44 .pki
drwxr-xr-x@ - jmneedham 24 Mar 07:12 .rustup
drwxr-xr-x@ - jmneedham 23 Mar 19:00 .var
drwxr-xr-x@ - jmneedham 24 Mar 07:21 .vscode
drwxr-xr-x@ - jmneedham 23 Mar 20:25 .y2control
drwxr-xr-x@ - jmneedham 25 Mar 12:37 .zoom
drwxr-xr-x@ - jmneedham 23 Mar 19:00 Desktop
drwxr-xr-x@ - jmneedham 23 Mar 19:40 Documents
drwxr-xr-x@ - jmneedham 26 Mar 10:51 Downloads
drwxr-xr-x@ - jmneedham 24 Mar 15:25 motivate
drwxr-xr-x@ - jmneedham 23 Mar 19:00 Music
drwxr-xr-x@ - jmneedham 23 Mar 19:38 Pictures
drwxr-xr-x@ - jmneedham 23 Mar 19:00 Public
drwxr-xrwx@ - jmneedham 25 Mar 16:13 public_html
drwxr-xr-x@ - jmneedham 23 Mar 19:00 Templates
drwxr-xr-x@ - jmneedham 23 Mar 19:38 Videos
.rwxr-xr-x@ 3.7k jmneedham 24 Mar 09:54 .bash_history
.rwxr-xr-x@ 604 jmneedham 10 Mar 04:38 .bashrc
.rwxr-xr-x@ 1.6k jmneedham 13 Mar 09:46 .emacs
.rw-r–r–@ 304 jmneedham 26 Mar 09:45 .gtkrc-2.0
.rwxr-xr-x@ 599 jmneedham 1 Sep 2022 .i18n
.rwxr-xr-x@ 861 jmneedham 13 Mar 09:46 .inputrc
.rwxr-xr-x@ 856 jmneedham 10 Mar 04:38 .profile
.rwxr-xr-x@ 8.8k jmneedham 25 Mar 17:13 .viminfo
.rwxr-xr-x@ 2.0k jmneedham 1 Sep 2022 .xim.template
.rwxr-xr-x@ 45k jmneedham 23 Mar 20:25 .y2log
.rwxr-xr-x@ 280 jmneedham 23 Mar 19:48 .y2usersettings
.rwxr-xr-x@ 44k jmneedham 25 Mar 09:32 .zcompdump
.rwxr-xr-x@ 7.4k jmneedham 25 Mar 18:26 .zsh_history
.rwxr-xr-x@ 568 jmneedham 24 Mar 16:01 .zshrc
.rw-r–r–@ 1.2k jmneedham 26 Mar 10:51 flatpaks.txt
.rwxr-xr-x@ 5.3k jmneedham 24 Mar 17:32 repos.txt
jmneedham@vulcan ~ :

This is my entire /home/jmneedham directory as it stands right now. Again the public_html directory is set back to jmneedham:jmneedham for user and group.
We had it set to wwwrun:www before to try to get the 403 to clear in the past.

A 403 is not specific - there can a number of reasons causing it

Check the error.log file (usually located at /var/log/apache2/error.log) which will describe why you are getting the 403 error exactly.

Let us know by showing the content using the Preformatted Text </> option … or if there is a LOT of output (too much to show with Preformatted), use https://paste.opensuse.org

Sorry, but this is not what I asked for. I asked for

ls -l /home/jmneedham/public_html

or, from that user’s home directory

ls -l public_html

Please, to make the pieces of computer code in your posts better consumable by technical oriented people:

Also, I had two questions and you did ot answer the second one.

Here is a tail of the Apache error log:

[Wed Mar 26 09:50:14.154181 2025] [core:error] [pid 1196:tid 1196] (13)Permission denied: [client ::1:32848] AH00132: file permissions deny server access: /home/jmneedham/public_html/index.html
[Wed Mar 26 09:50:14.598654 2025] [core:error] [pid 1196:tid 1196] (13)Permission denied: [client ::1:32848] AH00132: file permissions deny server access: /home/jmneedham/public_html/index.html
[Wed Mar 26 09:50:18.171877 2025] [core:error] [pid 1196:tid 1196] (13)Permission denied: [client ::1:32848] AH00132: file permissions deny server access: /home/jmneedham/public_html/index.html
[Wed Mar 26 09:50:42.094764 2025] [core:error] [pid 1197:tid 1197] (13)Permission denied: [client 127.0.0.1:33072] AH00132: file permissions deny server access: /home/jmneedham/public_html/index.html

Per the question from hcvv, I have also included what my current mod_userdir.conf file looks like. Also, I use eza and not ls, so the output is the same info as ls -l except the group name is not there. I have stated that the permissions are set back to default on the contents of my home directory.

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#

<IfModule mod_userdir.c>
        # Note that the name of the user directory ("public_html") cannot easily be
        # changed here, since it is a compile time setting. The apache package
        # would have to be rebuilt. You could work around by deleting
        # /usr/sbin/suexec, but then all scripts from the directories would be
        # executed with the UID of the webserver.
        # 
        # To rebuild apache with another setting you need to change the 
        # %userdir define in the spec file. 

        # not every user's directory should be visible:
        UserDir disabled root

        # to enable UserDir only for a certain set of users, use this instead:
        #UserDir disabled
        #UserDir enabled user1 user2


        # the UserDir directive is actually used inside the virtual hosts, to 
        # have more control
        UserDir public_html

        <Directory /home/*/public_html>

                AllowOverride FileInfo AuthConfig Limit Indexes
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

                <Limit GET POST OPTIONS PROPFIND>
                        <IfModule !mod_access_compat.c>

Hope this helps. This is the way the Apache2 was installed, so I am not too sure that user directories are even enabled because I have not worked with Apache configuration actively since 2015 in Apache 1.x I think. But under Arch, this was running fine out of the box.
Hope this helps a little.

For hcvv, I went back to root and got the ls -l for /home/jmneedham/public_html.

vulcan:~ # ls -l /home/jmneedham/public_html
total 4
-rw-r--r--. 1 jmneedham jmneedham 262 Mar 25 16:36 index.html
vulcan:~ # 

Hope all this helps. Thanks.

Does

setenforce 0

help?

How about before barrelling to disabling SELinux you actually look to see if there are any SELinux reported issues.

sudo ausearch -m AVC,USER_AVC -ts recent

Hi everyone: Thanks for the responses. setenforce and ausearch commands are not available on my system.

Because this is the most simple way to see if the problem is SELinux related to start with.

Okay, let’s take a step back for a moment.

For #1, you wrote “as instructed”. What does that refer to? Instructed by “what”?

For #2, you wrote “I can see index.html in my browser” … what does that mean? You can see the actual HTML code, or the “hello world” content ?

Here’s the important question … “WHY” do you need to provide HTML content from your user’s home sub-directory path??

(sidenote: software engineer here, now retired 4+ years after 30+ years coding. I learned early on, to keep things simple, so I’d not consider the user sub-dir choice).

Except it leads to the ‘solution’ of disable SELinux.

Every other problem - Look at logs
SELinux - wharbergarble disable selinux

This is like suggesting to chmod 777to see if it’s a permission issue. Ya, it’ll sort of show that, but it’s the wrong thing to do.

Hello again: The instructions you follow to install the server. In a nutshell, zypper install apache2, set permissions on srv/www/htdocs to 755 and files within to 644, chown /srv/www/htdocs to www run:www, obviously start and enable the apache server.

Part 2, Yes the page index.html renders properly in my browser from the root directly referenced above.

I don’t want to use the system root to work on my web projects, I want to store everything in my user directory. This is my plan. I have had this working on Arch Linux a few months ago, so I am real perplexed why it doesn’t function here.

BTW: I have 40 years in IT where I have focused on UNIX administration and programming, including web development. So my goal is to use my home directory public_html for developing my own stuff. It is important (to me) for this to work and if selinux turns out to be the issue, it will be disabled on this system as it only gets in my way. This is not a work machine, so it does not need to be as secure as say a client’s machine would need to be.

So long and short, I want this function.

Update, I tried to disable SELinux and ended up having to go into recovery to reset it back so that my system boots. Apparently, setting it to disabled is not going to work, so I need to figure out how to set proper permissions for the wwwrun user to access my user public_html, which is where we began.
Thanks again, I am sure someone has done this and can tell me what Tumbleweed is doing here.
Thanks again for all the help, but again (apparently) disabling SELinux is not the option.

Did not check your other info, but this leads me to a few remarks.

This “users home directory” feature is not considered a very safe way to walk since a long time. But you may of course consider it save enough in your environment.

I do not understand why you as user jmneedham let user root change the ownership the files to be served to wwwrun:www. Things inside a users domain should not be owned by others (i note hatroot undid this already, but the starting point was wrong). Same is true for the listing I asked for. It is inside the user jbneedham’s domain. No need to use root for making the listing. Remember: what need not be done by root should not be done by root.

Then about your installing. Most people will install the LAMP Pattern (maybe easiest from YaST → Software → Software Management; the Patterns View), thus being sure they have everything. But again, you may have found out you only need the package apache2.

Hi and thanks for your response. I may have mis-spoke, root does not own anything in my jmneedham domain. I did have to become root to get the error_log as it would not allow me to view the file in /var/log/apache2 using simply sudo. In fact I could not even CD into the apache2 directory unless I was root. I got there by sudo su -.

What I mean to convey is that while developing, I do not want to “sudo” Everytime I want to work on my sites. As I recall, the user directory would make this happen since public_html is owned by my user, however, I could still see the results in my browser using localhost/~jmneedham. This is my goal.

I am far from new at this, though it has been quite a bit since I worked with apache.

In any case, thanks for your response and I still hope to resolve this without changing the way I learned to develop HTML in the first place.

It may be better to say this (may be a superfluous remark):

The Apache2 server processes are owned by user wwwrun. Thus that user must have read access to all files that must be served. When these files are not owned by wwwrun, their permissions must include readable for other (also called: world) and all directories in the path leading to those files must have the readable and executable permissions set.
This is just how ownership and permissions work and not special to Apache.

Yes, I fully understand that. Others have read and execute access to all directories under home/jmneedham/public_html. Yet, the 403 error persists, we are going in circles now.

Show

sudo sudo -u wwwrun cat /full/path/to/index.html

or whatever file cannot be accessed.

I said “the path …”, that means not only those “under home/jmneedham/public_html.”, that means also /home, /home/jmneedham and `.home/jmneedham/public_htmt. You may mean that, but you did not say so.

And yes, what @arvidjaar asks for will show if those are correct.