Allow Apache Access to Subdirectory Without Home Directory Access

Apache2home-directorypermissions

I am running Ubuntu 11.04 desktop with encrypted home directories. I do development work on my computer and I want to have my webroot directory to be within my home directory so it is encrypted with the rest of my home directory. As I am the only use of the machine, I want to configure Apache to point to this directly.

Current I have changed the /var/www folder into a symbolic link to the workspace in my hone dir: /home/valorin/workspace

However, this throws 403 Forbidden errors in apache.

I have added my user into the www-data group, and set the ownership & permissions on the workspace folder:

drwxrwxr-x  2 valorin www-data  4096 2011-04-23 10:02 workspace

But the only way I can get it to work is to change my home dir group to be www-data and set permissions too. I don't really want to do this as it means Apache has access to my home dir and could possibly be used by someone on my network to get into my personal data.

Does anyone know how I can solve this problem?

Best Answer

You can leave your $HOME dir ownership alone. You don't need to set it to www-data. What you do have to do is ensure that Apache has execute permissions on $HOME and everything above it. So, you could do something like this:

chmod 751 "$HOME"
sudo chmod 751 /home

However, the fact that $HOME is encrypted might pose major problems for Apache unless you can somehow configure Apache to use the proper decryption key.

EDIT:

Setting execute permissions on a directory means only that you can access something inside the directory if you already know its name and if what you're trying to access also has correct permissions. So setting a global x-bit on $HOME isn't too much of a security risk, as long as all your other files have reasonable permissions. You might want to look into your umask to be sure.