Hey folks,

After a successful install I'm unable to modify my Drupal install via the Settings page. If I click the Save Configuration submit button I recieve the error message:

Forbidden
You don't have permission to access /drupal/ on this server.

The error occurs on the http://www.myserver.com/durpal/?q=admin/settings

I've tried many of the suggestions but non seem to specifically address the issue.

I've deleted the .htaccess and changed various settings to no avail.

I get the following error in my error_log

mod_security: Access denied with code 403. Pattern match "(/dev/shm|/tmp|/var/tmp|/var|wget|/home/virtual|/etc/)" at ARGS_VALUES [hostname "www.myserver.com"] [uri "/drupal/?q=admin/settings"]

BTW mod_rewrite is enabled and functioning on this server,

Can anyone help?

Comments

Nick Wilsdon’s picture

Hi Grimlock,

I'm getting exactly the same problem here (PHP5 if that helps).

I have checked and mod_security is installed here - v. 1.86. This seems to be where the problem is (ergo the error log). I guess this is outside the support area of the drupal guys. Did you get any further on this?

I have to get this working so I'll post here if I get any further.

UPDATE:

Well looking again at the error message I have noticed that my local IP is here as being barred. So basically mod_security is finding a problem with drupal processes. I am going to have a look at the rules now and see why this might be happening. I am a little apprehensive about changing/relaxing mod_security rules to allow Drupal to run though if this is the case.

Nick Wilsdon’s picture

K fixed that - you have a rule in your mod_security conf file. (usually in /etc/httpd/conf/ or /etc/httpd/conf.d to the effect of:

SecFilterSelective THE_REQUEST "\=" chain
SecFilterSelective ARGS_VALUES "(/dev/shm|/tmp|/var/tmp|/var|wget|/home/virtual|/etc/)" deny,log

Comment this out and Drupal works again. I'm looking into this further though as you_should_not have to remove layers of server security to get a package working.

Jim Nicholson’s picture

You may not have the ability to change the mod_security settings in the conf file, especially if your ISP won't cooperate.

The error occurs probably because the value of the "temporary directory" setting is "/tmp". The mod_security rule will disallow ANY form that contains one of the strings specified. (This is probably stupid, as it means that you couldn't even reply to a comment if the comment begins with "/tmp" or some such...)

But the work-around is as follows:

1) make a directory in your "files" directory called "work"
2) set the value to "work" instead of /tmp.

Drupal will then allow you to continue.

= Jim

Nick Wilsdon’s picture

Thanks Jim, yes that does make sense.

I'm back on the case with this (and version 4.6.3/php5) and these issues do seem to have got better.