-   Linux - Networking (
-   -   Can't access non-server-root directories in Apache (

jenna_h 10-26-2003 04:23 PM

Can't access non-server-root directories in Apache
Hey, has anyone else had this problem? I just set up a server to run a web site from my computer, and rather than copy all my pictures to /var/www/http/, I symlinked the directory that has them in it. For example, ln -s /home/jenna/pics /var/www/http/pics/ . I can connect to my computer from other locations, but whenever click a link to the /pics directory, it says I'm not allowed to access it. I know that read permissions are set to allow everyone on that directory and everything in it. What's wrong?

kasperhans 10-26-2003 04:49 PM

you have to move them to your apache root dir or change the apache config file to allow the new dir

jenna_h 10-26-2003 05:01 PM

What should I put in the config file? If all else fails, I'll just move the pictures over there, but it would be nice to just tell it to include the new directories.

akaBeaVis 10-26-2003 07:36 PM

Take a look at the config files they have good info in them on how to set things up (mine are in /etc/httpd/conf), here's an excerpt that seems to say you can do what you're trying to do:

this is from commonhttpd.conf

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
# DO NOT MODIFY THIS ONE, USE httpd.conf and httpd-perl.conf
#DocumentRoot /var/www/html

jenna_h 10-27-2003 10:40 AM

Okay, I checked out my conf files, and later on in commonhttpd.conf, it mentions that really strict permissions are set by default:

# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# First, we configure the "default" to be a very restrictive set of
# permissions.
# Also, for security, we disable indexes globally
#<Directory />
# Options -Indexes FollowSymLinks
# AllowOverride None

#Restricted set of options
<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all

This seems to be saying that it's denying access to all directories except the document root. So I added the following sections, saved, and restarted apache:

<Directory /home/jenna/pics/>
Options -Indexes FollowSymLinks
AllowOverride None

<Directory /var/www/html/>
Options -Indexes FollowSymLinks
AllowOverride None

But when I went back to the website, it still refused requests. Maybe I need to modify it in another document as well, but you would think that having it in just one of the config files would be enough (as the main one includes the others).

akaBeaVis 10-27-2003 03:46 PM

Is the symlink named /home/jenna/pics? I thought it was /var/www/html/pics which would point to /home/jenna/pics, in that case you might try to put those permissions on <Directory pics>

jenna_h 10-27-2003 04:17 PM

Okay, I did what you suggested, now my commonhttpd.conf has this entry:

<Directory /var/www/html/pics>
Options FollowSymLinks -Indexes MultiViews SymLinksIfOwnerMatch
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all

Saved, restarted Apache, and nothing happened. In addition, the error_log file has this to say:

[Mon Oct 27 17:11:02 2003] [error] [client 142.167.xx.yyy] Symbolic link not allowed: /var/www/html/pics, referer: http://142.167.xx.yyy/]

akaBeaVis 10-27-2003 07:39 PM

I tried this out myself just now, it works ok for me, I did *not* have to modify my config at all since FollowSymLinks was already set for the docroot, I just created the symlink, and can type urls to the files and have them come up, maybe this is permissions, or perhaps the html you're using, test this by typing a url to your server spec'ing a known file from the symlinked dir, something like this: http://server/pics/known_picname.jpg, see if it comes up.

jenna_h 10-27-2003 08:46 PM

I'm pretty sure it's not a permission conflict, since I set read and execute permissions on both the symlink and its corresponding directory before I started. And I just tried inserting an image from that directory into my web page -- to see if it will show up -- but it comes up blank.

akaBeaVis 10-27-2003 08:58 PM

Well, this is odd, I've actually symlinked my entire document root directory via nfs to a different machine it works without any mods to the config. I wonder what's going on.

Obviously the owner of /home/jenna/pics is not going to be the same user who started the apache server, on this system it's the user "apache", maybe that's the problem, the apache user doesn't have permissions to your /home/jenna/pics dir, maybe you should change it's permissions to a+r and make sure it's contents have those permissions also.

If not, then I would look at the security that's being applied to your apache installation, it may be so tight as to not allow access anywhere outside of document root, (perhaps even chroot'ed?)

jenna_h 10-28-2003 02:11 PM

Yeah, I tried doing chmod a+r on the /pics directory and everything in it, and nothing happened. As for security, it seems like it shouldn't be that tight -- I didn't choose any weird options when I was setting it up. How would being chrooted affect the permissions? I have my doubts, but I'll try anything.

akaBeaVis 10-28-2003 05:34 PM

chroot wouldn't affect permissions as such but would make directories outside the chroot'd root dir appear not to exist to the application running chroot'd, this is not a likely problem though unless you knowingly set up to have apache running chroot'd.

Can you go back through the apache error log and see what's it's saying when you click one of these links. On my system this is /var/log/httpd/error_log

jenna_h 10-28-2003 09:24 PM

Okay, this is what it's not really different from last time.

[Tue Oct 28 22:22:40 2003] [error] [client 142.167.xx.yyy] Symbolic link not allowed: /var/www/html/pics, referer: http://142.167.xx.yyy/

akaBeaVis 10-29-2003 06:22 PM

What is that SymLinksIfOwnerMatch option? I'm thinking maybe it's blocking, because otherwise everything looks to be right.

All times are GMT -5. The time now is 01:42 AM.