I am trying to configure apache with Django using mod-wsgi. But I am getting the following error
AH00035: access to / denied (filesystem path '/home/ec2-user/ezvoice') because search permissions are missing on a component of the path
URL is showing 403 forbidden
Here is the conf file
LoadModule wsgi_module "/home/ec2-user/venv/lib/python3.7/site-packages/mod_wsgi/server/mod_wsgi-py37.cpython-37m-x86_64-linux-gnu.so"
<VirtualHost *:80>
DocumentRoot /home/ec2-user/
Alias /static /home/ec2-user/ezvoice/sub_app/static
<Directory /home/ec2-user/ezvoice/sub_app/static>
Options FollowSymLinks
Order allow,deny
Require all granted
</Directory>
WSGIDaemonProcess ezvoice python-path=/home/ec2-user/ezvoice:/home/ec2-user/venv/lib/python3.7/site-packages
WSGIProcessGroup ezvoice
WSGIScriptAlias / /home/ec2-user/ezvoice/main_app/wsgi.py
ErrorLog /home/ec2-user/ezvoice/log-error.log
CustomLog /home/ec2-user/ezvoice/custom-error.log combined
<Directory /home/ec2-user/ezvoice/main_app>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
The directory structure is as follow
home
-ec2-user
--ezvoice
---main_app
----asgi.py
----settings.py
---sub_app
----views.py
--venv
---bin
---include
---lib
I have tried to set permission as follow
sudo chown ec2-user ezvoice
sudo chown -R ec2-user /usr/local/lib/python3.7
sudo chown ec2-user /usr/local/bin
sudo chown ec2-user /usr/local/lib
Best Answer
"Search permissions are missing" means that the Apache user (probably apache, or www-data) doesn't have permission to traverse the directory tree all the way down to /home/ec2-user/ezvoice. You can debug this with
namei -l
, which will show you a long listing of all of the directory paths down to a file or directory, starting from /. For example:When you do this for /home/ec2-user/ezvoice, you'll probably see that one of the directories along the path - maybe /, judging from the error message - is missing the
x
permission for group or other, which allows users to traverse the directory tree through that directory.A simple solution is to give all users the traverse permission on all of those directories:
Then compare the output of
namei -l
again to see what changed. If you don't want to grant such broad permissions, you could do it more carefully for just the Apache user, with a file ACL:Note, changing the ownership of Python isn't a good idea. You should be able to fix the permissions of the files that Python and Apache read, rather than the programs themselves.