[SOLVED] Apache 2 error - symbolic link not allowed
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I hope someone can find--and correct--whatever stupid oversight I'm making...
Code:
Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics
I have apache 2.2.4 running on slack 12, and I can't get it to follow a symlink.
I've found similar threads which all suggest stuff I'm pretty sure I've checked. I want the URL http://10.1.1.3/pics/
to serve files from
/files/large/Media/pics/
and I keep getting the error
Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics
Apache owns the link in DocumentRoot, which I'm not certain is necessary:
As I understand it, any file can be read providing the perms are world-readable. Nonetheless, I gave Apache ownership of the target directory, and the index.html inside it:
I've got FollowSymlinks enabled everywhere I can think of.
Code:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory "/var/www/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/htdocs/pics">
Options Indexes FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/files/large/Media/pics">
Options Indexes FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
I have a feeling that htdocs/pics or Media/pics is extraneous, but I'm more confused than when I started. The above error is identical whether I try the directory (with or without the trailing slash) or the index.html. Someone please smack me with some wisdom...
I just created a link in DocumentRoot to another file under DocumentRoot, and it worked. Likewise for a linked directory under DocumentRoot. Clearly it's following links to some extent.
The link target /files/large/Media/pics is on a separate filesystem (as you likely guessed just from the path). I imagine the issue lies in there somehow. This seems to be a new behavior from Slack 11 to Slack 12, as before all I had to do was create the link and go.
I've Googled and searched LQ, and I've found quite a bit of SELinux talk, but unless one of you broke in and installed SELinux for me...
I could probably just put the DocumentRoot on the larger filesystem and be done with it, but that's cheating. Plus I'd rather be smarter for all this banging my head on the desk.
# lg files /
lrwxrwxrwx 1 root wheel 9 2007-07-26 12:51 files -> /mnt/hda7/
# lg large /mnt/hda7
drwxr-xr-x 8 zedmelon wheel 200 2009-02-21 21:02 large/
# lg large /files/
drwxr-xr-x 8 zedmelon wheel 200 2009-02-21 21:02 large/
# lg Media /files/large
drwxr-xr-x 5 zedmelon wheel 160 2009-02-21 21:02 Media/
# lg pics /files/large/Media
drwxr-xr-x 5 apache apache 13776 2009-02-21 21:35 pics/
# lg index /files/large/Media/pics/
-rw-r--r-- 1 apache apache 4 2009-02-21 21:35 index.html
'lg' is a lazy script I wrote. It takes the first arg and greps it from a listing of the second arg or current directory. These are equivalent:
lg large /files
ls -laF /files | grep large
I'd forgotten that the directory "/files" is a link itself and pointed httpd.conf directly to the real path with no improvement:
Code:
[error][client 10.1.1.8] Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics
Thank you very much for looking into this. If anyone else has ideas, I'm all ears.
I've tried to follow everything in this post and can't get it working...
I tried everything suggested here... Here is my setup
Running ubuntu 11.04, apache2 from repo
I wanted to have several name-based virtual hosts each of which's documentroot points to a directory in my /home tree, so that I could simply store my development source code workspace (in Eclipse) to a directory in my /home tree.
Given that, I have two apps (outreachapp and sam)...
Code:
/home/ford/Dev/workspaces/eclipse/DOR/outreachapp (source code in this folder)
/home/ford/Dev/workspaces/eclipse/athletics/sam (source code in this folder)
I have configured my /etc/hosts according to the desired name I want for hosts
And I created a virtual host for the outreach.net host (I didn't get around to creating the sam.net one yet, as I have not been able to get the outreach.net one working correctly)
Code:
<VirtualHost *:80>
ServerAdmin somebody@gmail.com
ServerName www.outreach.net
DocumentRoot /var/www/outreach.net/outreachapp
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
Options +FollowSymLinks
<Directory /var/www/outreach.net/outreachapp>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
As for the files on my system, they are like this...
Here is my /var/www
I already tried adding an additional <directory> block on the virtual host, that would be the directory that CONTAINED the symlink, so I could allow following of symlinks... Like this. It didn't help at all.
Code:
<Directory /var/www/outreach.net/outreachapp>
Options +FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
No matter what I do, /var/log/apache2/error.log continues to give this message [Thu May 26 15:31:58 2011] [error] [client 127.0.0.1] Symbolic link not allowed or link target not accessible: /var/www/outreach.net/outreachapp
I am at wits end on this one. I believe I could skip the symlink and create the full directory structure I want under /var/www (like... /var/www/outreach.net/outreachapp/blahblah /var/www/sam.net/sam/blahblah), and then create an Eclipse workspace in my /home/... folder that symlinks to the /var/www/outreach.net folder, but I am looking to learn what I am doing wrong, before I give up on this.
You can also see that in the end, I pretty much set everything to 777 perms and even owned by www-data (ubuntu's apache user name), just to eliminate the chance that it was an access issue... It makes me think it must be a symlink issue.
Distribution: CentOS, Debian, Ubuntu, FreeBSD, Solaris
Posts: 3
Rep:
There's a new trend in the webhosting world which is guarding crowds of newbies (and their shared hosting neighbors) from potential Internet threats.
Here we most likely run into a problem of symlinked files not matched to the owner of the symlink. Supposedly this setting is made at many hosts to prevent "symlink attacks".
So, if you are confident you are not vulnerable to such an attack you may try adding the following directive to .htaccess in the same directory where your symlink is located:
If you have followed the advice above, check /var/log/messages for entries like the one below
Dec 21 10:28:38 myhost kernel: [215904.649300] type=1400 audit(1324459718.954:17): avc: denied { open } for pid=6679 comm="/usr/sbin/httpd" name="index.php" dev=dm-0 ino=4591401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file
Log message shows that the filr index.php (target) have a different protection scheme (use ls -Z to see this on the files) and SElinux therefore prevents the files from being displayed.
A fast fix is to edit the file
/etc/sysconfig/selinux
Set the parameter SELINUX to disabled
SELINUX=disabled
Restart SElinux
setenforce 0
and you should now be able to access your files.
Really, httpd should be granted read right to the files, rather than stopping SElinux, but I did not find the way to do that. Hint: I didn't Google it, you probably should do it to make sure your system stay secure.
I know this message is five years old but apparently people (me) are still running into this.
For me, I wanted my web app to be under git but also in a convenient location (since mine would not be the only code in the git repository.)
In my case, it was resolved by checking the execution bits on each directory in the path to the original destination. I found one directory that was rwx------. Changed that directory to rwxr-xr-x and no more 403 errors.
Thanks!
Quote:
Originally Posted by george.hategan
Hi kdford,
I've had a similar issue and it took me several good hours to figure it out.
The access problem boils down to the fact that that you need execute permission for the actual directory where your symbolic link points to.
In your particular case, make sure that you have execute permissions for the outreachapp directory in /home/ford/Dev/workspaces/eclipse/DOR/.
Count me as another who was rescued by this years-old thread. Everything I googled mentioned checking the file/directory permissions, which looked perfect, but my symlink still wouldn't work. This was the only thread that reminded me to double-check the ownership as well—sure enough, my shared host sets the group ownership of new files by default, and my symlink was therefore owned by a different group than the one owning the directory I linked to. Once I resolved that, the Apache symlink error vanished.
I should have considered user/group ownership as part of the "check permissions" step, but my troubleshooting tunnel vision had me focused on the chmod'able part instead of the chgrp/chown part. I hope this clarification is helpful to others as well!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.