[SOLVED] Apache 2 error

zedmelon · 02-22-2009, 08:59 AM

I hope someone can find--and correct--whatever stupid oversight I'm making...

Code:

 Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics

I have apache 2.2.4 running on slack 12, and I can't get it to follow a symlink.

I've found similar threads which all suggest stuff I'm pretty sure I've checked. I want the URL
http://10.1.1.3/pics/
to serve files from
/files/large/Media/pics/
and I keep getting the error
Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics

Apache owns the link in DocumentRoot, which I'm not certain is necessary:

Code:

lrwxrwxrwx  1 apache apache   23 2009-02-21 21:04 pics -> /files/large/Media/pics/

As I understand it, any file can be read providing the perms are world-readable. Nonetheless, I gave Apache ownership of the target directory, and the index.html inside it:

Code:

drwxr-xr-x  5 apache apache 13744 2009-02-15 21:19 pics/

I've got FollowSymlinks enabled everywhere I can think of.

Code:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

<Directory "/var/www/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory "/var/www/htdocs/pics">
        Options Indexes FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

<Directory "/files/large/Media/pics">
        Options Indexes FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

I have a feeling that htdocs/pics or Media/pics is extraneous, but I'm more confused than when I started. The above error is identical whether I try the directory (with or without the trailing slash) or the index.html. Someone please smack me with some wisdom...

zedmelon · 02-22-2009, 09:15 AM

I just created a link in DocumentRoot to another file under DocumentRoot, and it worked. Likewise for a linked directory under DocumentRoot. Clearly it's following links to some extent.

The link target /files/large/Media/pics is on a separate filesystem (as you likely guessed just from the path). I imagine the issue lies in there somehow. This seems to be a new behavior from Slack 11 to Slack 12, as before all I had to do was create the link and go.

I've Googled and searched LQ, and I've found quite a bit of SELinux talk, but unless one of you broke in and installed SELinux for me...

I could probably just put the DocumentRoot on the larger filesystem and be done with it, but that's cheating. Plus I'd rather be smarter for all this banging my head on the desk.

s-tanner · 02-22-2009, 10:53 AM

Does the apache user have read/executable permissions to /files, /files/large and /files/large/Media?

zedmelon · 02-22-2009, 11:39 AM

Everyone does.

Code:

# lg files /
lrwxrwxrwx   1 root wheel     9 2007-07-26 12:51 files -> /mnt/hda7/

# lg large /mnt/hda7
drwxr-xr-x  8 zedmelon wheel  200 2009-02-21 21:02 large/

# lg large /files/
drwxr-xr-x  8 zedmelon wheel  200 2009-02-21 21:02 large/

# lg Media /files/large
drwxr-xr-x  5 zedmelon wheel 160 2009-02-21 21:02 Media/

# lg pics /files/large/Media
drwxr-xr-x  5 apache apache 13776 2009-02-21 21:35 pics/

# lg index /files/large/Media/pics/
-rw-r--r--  1 apache apache         4 2009-02-21 21:35 index.html

'lg' is a lazy script I wrote. It takes the first arg and greps it from a listing of the second arg or current directory. These are equivalent:
lg large /files
ls -laF /files | grep large

I'd forgotten that the directory "/files" is a link itself and pointed httpd.conf directly to the real path with no improvement:

Code:

[error][client 10.1.1.8] Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics

Thank you very much for looking into this. If anyone else has ideas, I'm all ears.

Valery Reznic · 02-23-2009, 01:50 AM

Quote:

Originally Posted by zedmelon

Thank you very much for looking into this. If anyone else has ideas, I'm all ears.

You can run apache under strace. It can reveal source of the problem

anomie · 02-23-2009, 11:35 AM

@zedmelon: Could you just use an Alias directive to point /pics/ to the other filesystem/directory instead?

zedmelon · 02-24-2009, 04:27 AM

anomie, I'd already tried that, with similar results. This made me wonder if it were a change in the filesystem. Apparently not quite enough.

Valery Reznic, that's exactly what I needed. Thanks.

Yikes, strace generates a lot of data.

Code:

read(10, "GET /pics HTTP/1.1\r\nHost: 10.1"..., 8000) = 373
gettimeofday({1235468566, 176934}, NULL) = 0
stat64("/files/large/Media/pics", 0xbfa0d94c) = -1 EACCES (Permission denied)
lstat64("/files", {st_mode=S_IFLNK|0777, st_size=9, ...}) = 0
stat64("/files", {st_mode=S_IFDIR|0774, st_size=464, ...}) = 0
lstat64("/files/large", 0xbfa0d94c)     = -1 EACCES (Permission denied)
gettimeofday({1235468566, 177390}, NULL) = 0
write(7, "[Tue Feb 24 02:42:46 2009] [erro"..., 104) = 104
writev(10, [{"HTTP/1.1 403 Forbidden\r\nDate: Tu"..., 220}, {"<!DOCTYPE HTML PUBLIC \"-//IETF//"..., 206}], 2) = 426

I didn't realize the perms on /mnt/hda7 were 774--I don't recall intentionally doing that--but it worked as soon as I added that last executable bit.

God, I hate publicly admitting to stupidity. But I learned how to use strace.

Thanks everyone.

kdford · 05-26-2011, 02:50 PM

I tried everything suggested here... Here is my setup

Running ubuntu 11.04, apache2 from repo

I wanted to have several name-based virtual hosts each of which's documentroot points to a directory in my /home tree, so that I could simply store my development source code workspace (in Eclipse) to a directory in my /home tree.

Given that, I have two apps (outreachapp and sam)...

Code:

/home/ford/Dev/workspaces/eclipse/DOR/outreachapp  (source code in this folder)
/home/ford/Dev/workspaces/eclipse/athletics/sam  (source code in this folder)

I have configured my /etc/hosts according to the desired name I want for hosts

Code:

  127.0.0.1	localhost
  127.0.1.1	ubuntu-laptop

  127.0.0.1	www.outreach.net
  127.0.0.1	www.sam.net

And I created a virtual host for the outreach.net host (I didn't get around to creating the sam.net one yet, as I have not been able to get the outreach.net one working correctly)

Code:

<VirtualHost *:80> 
    ServerAdmin somebody@gmail.com
    ServerName www.outreach.net
    DocumentRoot /var/www/outreach.net/outreachapp

    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    Options +FollowSymLinks

    <Directory /var/www/outreach.net/outreachapp>
        Options +FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

</VirtualHost>

As for the files on my system, they are like this...
Here is my /var/www

Code:

drwxr-xr-x  3 root     root     4096 2011-05-26 13:43 .
drwxr-xr-x 17 root     root     4096 2011-05-25 14:49 ..
-rwxr-xr-x  1 root     root      335 2011-05-26 12:07 dummy.php
-rwxr-xr-x  1 root     root      177 2011-05-25 14:50 index.html
-rwxr-xr-x  1 root     root      101 2011-05-26 12:02 index.php
drwxr-xr-x  2 www-data www-data 4096 2011-05-26 15:26 outreach.net

here is the symlink, that lives in the outreach.net directory

Code:

drwxr-xr-x 2 www-data www-data 4096 2011-05-26 15:26 .
drwxr-xr-x 3 root     root     4096 2011-05-26 13:43 ..
-rwxr-xr-x 1 www-data www-data  101 2011-05-26 15:11 index.php
lrwxrwxrwx 1 www-data www-data   50 2011-05-26 15:26 outreachapp -> /home/ford/Dev/workspaces/eclipse/DOR/outreachapp/

And finally, here is the folder to which the outreachapp symlink is linked (it's full path is /home/ford/Dev/workspaces/eclipse/DOR/outreachapp)

Code:

root@ford-ocdc:/var/www/outreach.net/outreachapp# ls -al
total 48
drwxr-xr-x  9 www-data www-data 4096 2011-05-26 15:12 .
drwxr-xr-x  5 www-data www-data 4096 2010-10-15 20:26 ..
drwxr-xr-x  9 www-data www-data 4096 2011-02-25 14:25 application
-rwxr-xr-x  1 www-data www-data  331 2011-05-26 13:48 .buildpath
-rwxr-xr-x  1 www-data www-data  101 2011-05-26 15:12 index.php
drwxr-xr-x  4 www-data www-data 4096 2011-05-11 14:15 library
drwxr-xr-x 10 www-data www-data 4096 2011-02-28 10:30 misc
-rwxr-xr-x  1 www-data www-data  499 2010-04-27 12:11 .project
drwxr-xr-x  6 www-data www-data 4096 2011-03-15 18:47 public
drwxr-xr-x  3 www-data www-data 4096 2011-02-25 14:26 .settings
drwxr-xr-x  6 www-data www-data 4096 2011-04-07 13:18 .svn
drwxr-xr-x  4 www-data www-data 4096 2011-02-28 10:37 var

I already tried adding an additional <directory> block on the virtual host, that would be the directory that CONTAINED the symlink, so I could allow following of symlinks... Like this. It didn't help at all.

Code:

    <Directory /var/www/outreach.net/outreachapp>
        Options +FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

No matter what I do, /var/log/apache2/error.log continues to give this message
[Thu May 26 15:31:58 2011] [error] [client 127.0.0.1] Symbolic link not allowed or link target not accessible: /var/www/outreach.net/outreachapp

I am at wits end on this one. I believe I could skip the symlink and create the full directory structure I want under /var/www (like... /var/www/outreach.net/outreachapp/blahblah /var/www/sam.net/sam/blahblah), and then create an Eclipse workspace in my /home/... folder that symlinks to the /var/www/outreach.net folder, but I am looking to learn what I am doing wrong, before I give up on this.

You can also see that in the end, I pretty much set everything to 777 perms and even owned by www-data (ubuntu's apache user name), just to eliminate the chance that it was an access issue... It makes me think it must be a symlink issue.

Any suggestions?

george.hategan · 06-18-2011, 07:16 AM

Hi kdford,

I've had a similar issue and it took me several good hours to figure it out.

The access problem boils down to the fact that that you need execute permission for the actual directory where your symbolic link points to.

In your particular case, make sure that you have execute permissions for the outreachapp directory in /home/ford/Dev/workspaces/eclipse/DOR/.

Let me know how it works.

Cheers,
George

top · 10-11-2011, 08:56 AM

There's a new trend in the webhosting world which is guarding crowds of newbies (and their shared hosting neighbors) from potential Internet threats.

Here we most likely run into a problem of symlinked files not matched to the owner of the symlink. Supposedly this setting is made at many hosts to prevent "symlink attacks".

So, if you are confident you are not vulnerable to such an attack you may try adding the following directive to .htaccess in the same directory where your symlink is located:

Quote:

Options +FollowSymLinks -SymLinksIfOwnerMatch

justforyou · 10-11-2011, 01:48 PM

Nice :d

Quote:

Originally Posted by top

there's a new trend in the webhosting world which is guarding crowds of newbies (and their shared hosting neighbors) from potential internet threats.

ariedel · 12-21-2011, 03:42 AM

If you have followed the advice above, check /var/log/messages for entries like the one below

Dec 21 10:28:38 myhost kernel: [215904.649300] type=1400 audit(1324459718.954:17): avc: denied { open } for pid=6679 comm="/usr/sbin/httpd" name="index.php" dev=dm-0 ino=4591401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file

Log message shows that the filr index.php (target) have a different protection scheme (use ls -Z to see this on the files) and SElinux therefore prevents the files from being displayed.

A fast fix is to edit the file

/etc/sysconfig/selinux

Set the parameter SELINUX to disabled
SELINUX=disabled

Restart SElinux
setenforce 0

and you should now be able to access your files.

Really, httpd should be granted read right to the files, rather than stopping SElinux, but I did not find the way to do that. Hint: I didn't Google it, you probably should do it to make sure your system stay secure.

daftcat · 02-21-2016, 10:35 AM

I know this message is five years old but apparently people (me) are still running into this.

For me, I wanted my web app to be under git but also in a convenient location (since mine would not be the only code in the git repository.)

In my case, it was resolved by checking the execution bits on each directory in the path to the original destination. I found one directory that was rwx------. Changed that directory to rwxr-xr-x and no more 403 errors.

Thanks!

Quote:

Originally Posted by george.hategan

Hi kdford,

I've had a similar issue and it took me several good hours to figure it out.

The access problem boils down to the fact that that you need execute permission for the actual directory where your symbolic link points to.

In your particular case, make sure that you have execute permissions for the outreachapp directory in /home/ford/Dev/workspaces/eclipse/DOR/.

Let me know how it works.

Cheers,
George

shatner · 02-25-2019, 08:06 AM

Count me as another who was rescued by this years-old thread. Everything I googled mentioned checking the file/directory permissions, which looked perfect, but my symlink still wouldn't work. This was the only thread that reminded me to double-check the ownership as well—sure enough, my shared host sets the group ownership of new files by default, and my symlink was therefore owned by a different group than the one owning the directory I linked to. Once I resolved that, the Apache symlink error vanished.

I should have considered user/group ownership as part of the "check permissions" step, but my troubleshooting tunnel vision had me focused on the chmod'able part instead of the chgrp/chown part. I hope this clarification is helpful to others as well!