LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-22-2009, 08:59 AM   #1
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Rep: Reputation: 22
Apache 2 error - symbolic link not allowed


I hope someone can find--and correct--whatever stupid oversight I'm making...
Code:
 Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics
I have apache 2.2.4 running on slack 12, and I can't get it to follow a symlink.

I've found similar threads which all suggest stuff I'm pretty sure I've checked. I want the URL
http://10.1.1.3/pics/
to serve files from
/files/large/Media/pics/
and I keep getting the error
Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics

Apache owns the link in DocumentRoot, which I'm not certain is necessary:
Code:
lrwxrwxrwx  1 apache apache   23 2009-02-21 21:04 pics -> /files/large/Media/pics/
As I understand it, any file can be read providing the perms are world-readable. Nonetheless, I gave Apache ownership of the target directory, and the index.html inside it:
Code:
drwxr-xr-x  5 apache apache 13744 2009-02-15 21:19 pics/
I've got FollowSymlinks enabled everywhere I can think of.
Code:
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

<Directory "/var/www/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory "/var/www/htdocs/pics">
        Options Indexes FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

<Directory "/files/large/Media/pics">
        Options Indexes FollowSymlinks
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>
I have a feeling that htdocs/pics or Media/pics is extraneous, but I'm more confused than when I started. The above error is identical whether I try the directory (with or without the trailing slash) or the index.html. Someone please smack me with some wisdom...
 
Old 02-22-2009, 09:15 AM   #2
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Original Poster
Rep: Reputation: 22
links broken across filesystems?

I just created a link in DocumentRoot to another file under DocumentRoot, and it worked. Likewise for a linked directory under DocumentRoot. Clearly it's following links to some extent.

The link target /files/large/Media/pics is on a separate filesystem (as you likely guessed just from the path). I imagine the issue lies in there somehow. This seems to be a new behavior from Slack 11 to Slack 12, as before all I had to do was create the link and go.

I've Googled and searched LQ, and I've found quite a bit of SELinux talk, but unless one of you broke in and installed SELinux for me...

I could probably just put the DocumentRoot on the larger filesystem and be done with it, but that's cheating. Plus I'd rather be smarter for all this banging my head on the desk.
 
Old 02-22-2009, 10:53 AM   #3
s-tanner
LQ Newbie
 
Registered: Nov 2008
Posts: 13

Rep: Reputation: 3
Does the apache user have read/executable permissions to /files, /files/large and /files/large/Media?
 
Old 02-22-2009, 11:39 AM   #4
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Original Poster
Rep: Reputation: 22
Everyone does.
Code:
# lg files /
lrwxrwxrwx   1 root wheel     9 2007-07-26 12:51 files -> /mnt/hda7/

# lg large /mnt/hda7
drwxr-xr-x  8 zedmelon wheel  200 2009-02-21 21:02 large/

# lg large /files/
drwxr-xr-x  8 zedmelon wheel  200 2009-02-21 21:02 large/

# lg Media /files/large
drwxr-xr-x  5 zedmelon wheel 160 2009-02-21 21:02 Media/

# lg pics /files/large/Media
drwxr-xr-x  5 apache apache 13776 2009-02-21 21:35 pics/

# lg index /files/large/Media/pics/
-rw-r--r--  1 apache apache         4 2009-02-21 21:35 index.html
'lg' is a lazy script I wrote. It takes the first arg and greps it from a listing of the second arg or current directory. These are equivalent:
lg large /files
ls -laF /files | grep large

I'd forgotten that the directory "/files" is a link itself and pointed httpd.conf directly to the real path with no improvement:
Code:
[error][client 10.1.1.8] Symbolic link not allowed or link target not accessible: /var/www/htdocs/pics
Thank you very much for looking into this. If anyone else has ideas, I'm all ears.

Last edited by zedmelon; 02-22-2009 at 05:09 PM.
 
Old 02-23-2009, 01:50 AM   #5
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 666

Rep: Reputation: 132Reputation: 132
Quote:
Originally Posted by zedmelon View Post
Thank you very much for looking into this. If anyone else has ideas, I'm all ears.
You can run apache under strace. It can reveal source of the problem
 
Old 02-23-2009, 11:35 AM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
@zedmelon: Could you just use an Alias directive to point /pics/ to the other filesystem/directory instead?
 
Old 02-24-2009, 04:27 AM   #7
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Original Poster
Rep: Reputation: 22
anomie, I'd already tried that, with similar results. This made me wonder if it were a change in the filesystem. Apparently not quite enough.

Valery Reznic, that's exactly what I needed. Thanks.

Yikes, strace generates a lot of data.
Code:
read(10, "GET /pics HTTP/1.1\r\nHost: 10.1"..., 8000) = 373
gettimeofday({1235468566, 176934}, NULL) = 0
stat64("/files/large/Media/pics", 0xbfa0d94c) = -1 EACCES (Permission denied)
lstat64("/files", {st_mode=S_IFLNK|0777, st_size=9, ...}) = 0
stat64("/files", {st_mode=S_IFDIR|0774, st_size=464, ...}) = 0
lstat64("/files/large", 0xbfa0d94c)     = -1 EACCES (Permission denied)
gettimeofday({1235468566, 177390}, NULL) = 0
write(7, "[Tue Feb 24 02:42:46 2009] [erro"..., 104) = 104
writev(10, [{"HTTP/1.1 403 Forbidden\r\nDate: Tu"..., 220}, {"<!DOCTYPE HTML PUBLIC \"-//IETF//"..., 206}], 2) = 426
I didn't realize the perms on /mnt/hda7 were 774--I don't recall intentionally doing that--but it worked as soon as I added that last executable bit.

God, I hate publicly admitting to stupidity. But I learned how to use strace.

Thanks everyone.

Last edited by zedmelon; 02-24-2009 at 04:33 AM. Reason: typos
 
Old 05-26-2011, 02:50 PM   #8
kdford
LQ Newbie
 
Registered: May 2011
Posts: 2

Rep: Reputation: Disabled
I've tried to follow everything in this post and can't get it working...

I tried everything suggested here... Here is my setup

Running ubuntu 11.04, apache2 from repo

I wanted to have several name-based virtual hosts each of which's documentroot points to a directory in my /home tree, so that I could simply store my development source code workspace (in Eclipse) to a directory in my /home tree.

Given that, I have two apps (outreachapp and sam)...
Code:
/home/ford/Dev/workspaces/eclipse/DOR/outreachapp  (source code in this folder)
/home/ford/Dev/workspaces/eclipse/athletics/sam  (source code in this folder)
I have configured my /etc/hosts according to the desired name I want for hosts
Code:
  127.0.0.1	localhost
  127.0.1.1	ubuntu-laptop

  127.0.0.1	www.outreach.net
  127.0.0.1	www.sam.net
And I created a virtual host for the outreach.net host (I didn't get around to creating the sam.net one yet, as I have not been able to get the outreach.net one working correctly)
Code:
<VirtualHost *:80> 
    ServerAdmin somebody@gmail.com
    ServerName www.outreach.net
    DocumentRoot /var/www/outreach.net/outreachapp

    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    Options +FollowSymLinks

    <Directory /var/www/outreach.net/outreachapp>
        Options +FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

</VirtualHost>
As for the files on my system, they are like this...
Here is my /var/www
Code:
drwxr-xr-x  3 root     root     4096 2011-05-26 13:43 .
drwxr-xr-x 17 root     root     4096 2011-05-25 14:49 ..
-rwxr-xr-x  1 root     root      335 2011-05-26 12:07 dummy.php
-rwxr-xr-x  1 root     root      177 2011-05-25 14:50 index.html
-rwxr-xr-x  1 root     root      101 2011-05-26 12:02 index.php
drwxr-xr-x  2 www-data www-data 4096 2011-05-26 15:26 outreach.net
here is the symlink, that lives in the outreach.net directory
Code:
drwxr-xr-x 2 www-data www-data 4096 2011-05-26 15:26 .
drwxr-xr-x 3 root     root     4096 2011-05-26 13:43 ..
-rwxr-xr-x 1 www-data www-data  101 2011-05-26 15:11 index.php
lrwxrwxrwx 1 www-data www-data   50 2011-05-26 15:26 outreachapp -> /home/ford/Dev/workspaces/eclipse/DOR/outreachapp/
And finally, here is the folder to which the outreachapp symlink is linked (it's full path is /home/ford/Dev/workspaces/eclipse/DOR/outreachapp)
Code:
root@ford-ocdc:/var/www/outreach.net/outreachapp# ls -al
total 48
drwxr-xr-x  9 www-data www-data 4096 2011-05-26 15:12 .
drwxr-xr-x  5 www-data www-data 4096 2010-10-15 20:26 ..
drwxr-xr-x  9 www-data www-data 4096 2011-02-25 14:25 application
-rwxr-xr-x  1 www-data www-data  331 2011-05-26 13:48 .buildpath
-rwxr-xr-x  1 www-data www-data  101 2011-05-26 15:12 index.php
drwxr-xr-x  4 www-data www-data 4096 2011-05-11 14:15 library
drwxr-xr-x 10 www-data www-data 4096 2011-02-28 10:30 misc
-rwxr-xr-x  1 www-data www-data  499 2010-04-27 12:11 .project
drwxr-xr-x  6 www-data www-data 4096 2011-03-15 18:47 public
drwxr-xr-x  3 www-data www-data 4096 2011-02-25 14:26 .settings
drwxr-xr-x  6 www-data www-data 4096 2011-04-07 13:18 .svn
drwxr-xr-x  4 www-data www-data 4096 2011-02-28 10:37 var
I already tried adding an additional <directory> block on the virtual host, that would be the directory that CONTAINED the symlink, so I could allow following of symlinks... Like this. It didn't help at all.
Code:
    <Directory /var/www/outreach.net/outreachapp>
        Options +FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

No matter what I do, /var/log/apache2/error.log continues to give this message
[Thu May 26 15:31:58 2011] [error] [client 127.0.0.1] Symbolic link not allowed or link target not accessible: /var/www/outreach.net/outreachapp

I am at wits end on this one. I believe I could skip the symlink and create the full directory structure I want under /var/www (like... /var/www/outreach.net/outreachapp/blahblah /var/www/sam.net/sam/blahblah), and then create an Eclipse workspace in my /home/... folder that symlinks to the /var/www/outreach.net folder, but I am looking to learn what I am doing wrong, before I give up on this.

You can also see that in the end, I pretty much set everything to 777 perms and even owned by www-data (ubuntu's apache user name), just to eliminate the chance that it was an access issue... It makes me think it must be a symlink issue.

Any suggestions?
 
Old 06-18-2011, 07:16 AM   #9
george.hategan
LQ Newbie
 
Registered: Jun 2011
Posts: 1

Rep: Reputation: Disabled
Hi kdford,

I've had a similar issue and it took me several good hours to figure it out.

The access problem boils down to the fact that that you need execute permission for the actual directory where your symbolic link points to.

In your particular case, make sure that you have execute permissions for the outreachapp directory in /home/ford/Dev/workspaces/eclipse/DOR/.

Let me know how it works.

Cheers,
George
 
Old 10-11-2011, 08:56 AM   #10
top
LQ Newbie
 
Registered: Oct 2011
Location: Kiev
Distribution: CentOS, Debian, Ubuntu, FreeBSD, Solaris
Posts: 3

Rep: Reputation: Disabled
There's a new trend in the webhosting world which is guarding crowds of newbies (and their shared hosting neighbors) from potential Internet threats.

Here we most likely run into a problem of symlinked files not matched to the owner of the symlink. Supposedly this setting is made at many hosts to prevent "symlink attacks".

So, if you are confident you are not vulnerable to such an attack you may try adding the following directive to .htaccess in the same directory where your symlink is located:

Quote:
Options +FollowSymLinks -SymLinksIfOwnerMatch
 
Old 10-11-2011, 01:48 PM   #11
justforyou
LQ Newbie
 
Registered: Oct 2011
Posts: 9

Rep: Reputation: Disabled
Thumbs up

Nice :d

Quote:
Originally Posted by top View Post
there's a new trend in the webhosting world which is guarding crowds of newbies (and their shared hosting neighbors) from potential internet threats.
 
Old 12-21-2011, 03:42 AM   #12
ariedel
LQ Newbie
 
Registered: Dec 2011
Posts: 1

Rep: Reputation: Disabled
It could be SElinux "protecting" your files

If you have followed the advice above, check /var/log/messages for entries like the one below

Dec 21 10:28:38 myhost kernel: [215904.649300] type=1400 audit(1324459718.954:17): avc: denied { open } for pid=6679 comm="/usr/sbin/httpd" name="index.php" dev=dm-0 ino=4591401 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:user_home_t:s0 tclass=file


Log message shows that the filr index.php (target) have a different protection scheme (use ls -Z to see this on the files) and SElinux therefore prevents the files from being displayed.

A fast fix is to edit the file

/etc/sysconfig/selinux

Set the parameter SELINUX to disabled
SELINUX=disabled

Restart SElinux
setenforce 0

and you should now be able to access your files.

Really, httpd should be granted read right to the files, rather than stopping SElinux, but I did not find the way to do that. Hint: I didn't Google it, you probably should do it to make sure your system stay secure.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
symbolic link not allowed or link target not accessible paullaubscher Linux - Newbie 4 03-10-2010 06:47 AM
[SOLVED] Images not served by apache over a symbolic link folder fakeer Linux - Server 1 01-25-2009 01:16 AM
error 403 Forbidden symbolic link not allowed vree13 Linux - Software 8 02-14-2008 08:58 PM
Symbolic link not allowed gambrinus777 Linux - Server 3 09-07-2007 06:16 AM
apache: using symbolic link to cgi-bin executable: how-to minutes2memories Linux - Software 4 03-02-2006 02:05 AM


All times are GMT -5. The time now is 12:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration