Defindit Docs and Howto Home

This page last modified: Apr 09 2005
title:Apache Explanation of (13)Permission denied: cannot read directory for multi:
keywords:apache,httpd,permissions,multiview,multi,view,error,apache 2,apache2
description:When permissions are NOT the problem, a common cause of the 13 error explained.

The error:

(13)Permission denied: cannot read directory for multi: /home/mst3k/public_html/

is caused my having the MultiViews enabled when public_html
permissions are 711.

Normally for security reasons your home directory and web accessible
directories will be permissions 711 (rwx--x--x). Execute on a directory
means that if you know a filename in that directory, you can read
it. However, you cannot get a listing of the directory. The x
(execute) permissions for directories have this special meaning. This
meaning is different from the meaning of x for files (where it means
the file is executable).

In order to get a listing of a directory, the permissions must be set
to r (read). For security reasons you *do not* want web accessible
directories to have read permissions. In other words, if someone
doesn't know the file they want, then they can't have a
listing. Listings of web accessible directories are a (minor) security
hazard. As a webmaster you *only* want people getting to web pages
that you have explicitly linked to.

However, the Apache MultiViews option makes a listing, and therefore
it needs r (read) permissions. MultiViews is only useful if you are
lazy and have web content but you do not want to create a home page.

I run scripts out of my public_html, and I've got some other stuff
going on. This is my Options line from my .htaccess file (the same
line works just as well in a <Directory> directive in your httpd.conf
file). 

Options +ExecCGI +FollowSymLinks -Indexes -MultiViews

Given the example case where you serve web pages from a public_html
directory in the user's home directory, here are the following
ownership and permissions for a mythical user "mst3k" on a machine
named "example".


[mst3k@example mst3k]$ ls -ld /home /home/mst3k
/home/mst3k/public_html
drwx--x--x  111 root     root           4096 Mar 11 18:56 /home
drwx--x--x   24 mst3k    mst3k          4096 Apr  9 10:19 /home/mst3k
drwx--x--x   32 mst3k    mst3k          8192 Apr  9 11:05 /home/mst3k/public_html
[mst3k@example mst3k]$

1) root owns /home and users are not allowed to get a listing of
   /home. This prevents users from listing all the home directories.
   This is a security feature. (see footnote A)

2) User home directory contentes cannot be listed. Known files and/or
   directories in the home directory can be read. This is required to
   allow access to public_html.  However, other users can guess file
   names in your home directory, which is a small security flaw. Any
   critical information should be in a subdirectory in your home
   directory, and that subdirectory should have permissions 700
   (rwx------).

3) The public_html also cannot be listed. However, like the home
   directory, known files in public_html are readable. Web pages have
   known file names (that's what is in a URL). 



Footnote A. On all the unix systems I know, anyone can read
/etc/passwd and see all the user ids. However, not all user ids have
home directories. Any time you hide information, you raise the level
of security.