Dec 5, 2025

How to Fix Apache Permission Denied on Debian 11

The Root Cause Apache on Debian 11, similar to other Debian-based systems, runs as the www-data user and group by default. “Permission Denied” errors primarily occur when the web server’s process (running as www-data) lacks the necessary read, write, or execute permissions for the files or directories within its configured web root, often following manual file transfers or deployments.

Quick Fix (CLI)

# Define your web root directory. Adjust this path if your site is in a different location.
WEB_ROOT="/var/www/html" 

# Change the owner and group of all files and directories in the web root to www-data.
sudo chown -R www-data:www-data "$WEB_ROOT"

# Set directory permissions to 755 (owner: rwx, group: rx, others: rx).
# This allows Apache to traverse directories and read their contents.
sudo find "$WEB_ROOT" -type d -exec chmod 755 {} \;

# Set file permissions to 644 (owner: rw, group: r, others: r).
# This allows Apache to read file contents.
sudo find "$WEB_ROOT" -type f -exec chmod 644 {} \;

# Restart Apache to ensure all changes are reloaded, though often not strictly necessary for file permissions.
sudo systemctl restart apache2

Configuration Check While filesystem permissions are the direct fix, it’s crucial to ensure Apache is configured to run as the expected user/group and serves from the correct directory.

Confirm Apache’s Operational User and Group: File: /etc/apache2/apache2.conf Lines to check (these usually resolve to www-data via /etc/apache2/envvars):
```
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
```
Note: Do not change these unless you specifically intend for Apache to run as a different user, which would then require adjusting filesystem permissions accordingly.
Confirm DocumentRoot: File: /etc/apache2/sites-available/your_site.conf (e.g., 000-default.conf) Line to check:
```
DocumentRoot /var/www/html
```
Ensure this path accurately reflects your application’s web root.

Verification

# Test access to your web server locally via curl.
# Replace 'localhost' with your domain name or IP address if testing remotely.
curl http://localhost/

# Optionally, check Apache's error logs for any remaining permission-related messages.
sudo tail -f /var/log/apache2/error.log