45

I've got a brand new CentOS 6 installation, which has a symlink in the document root to my development files:

[root@localhost html]# ls -l
total 4
-rwxrwxrwx. 1 root root  0 Sep 18 20:16 index.html
-rwxrwxrwx. 1 root root 17 Sep 18 20:16 index.php
lrwxrwxrwx. 1 root root 24 Sep 18 20:19 refresh-app -> /home/billy/refresh-app/

My httpd.conf has this:

<Directory "/">
    Options All
    AllowOverride None
    Order allow,deny
    Allow from all
</directory>

The target of the symbolic link has permissions which should allow apache to read anything it wants:

 [root@localhost billy]# ls -l
total 40 (Some entries were omitted because the list was too long
drwxr-xr-x. 7 billy billy 4096 Sep 18 20:03 refresh-app

I've also tried disabling SELinux by changing /etc/selinux/conf:

SELINUX=disabled

Yet no matter what I do, when someone tries to go to that link, http://localhost/refresh-app/, I get a 403 FORBIDDEN error page and this is written in the /var/log/httpd/error_log:

Symbolic link not allowed or link target not accessible

Why can't Apache access the target of the symlink?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Billy ONeal
  • 1,120
  • 1
  • 8
  • 12
  • What user is apache running as? Can you actually read that resource as that user? – draeath Sep 19 '11 at 16:23
  • 1
    As well, you're better off running selinux in permissive mode and then using sealert to parse the audit log - this lets you see why/how SELinux is denying it and often even gives you a resolution. – draeath Sep 19 '11 at 16:23
  • @draeath: I have no idea how to check for that. – Billy ONeal Sep 19 '11 at 16:43
  • @draeath: 1. This isn't a production box; I don't care if SELinux is off. 2. In any case, I am just troubleshooting at this point -- I'll probably restore it once I figure out the root cause. – Billy ONeal Sep 19 '11 at 16:44
  • Not to worry this is a common oversight, first time i did it i was stuck for days, http://serverfault.com/questions/313485/apache-configuration-for-allowing-a-web-site-that-is-a-symlink-to-a-users-directo/313516#313516 :: Its one of those errors. :D – whoami Sep 25 '11 at 13:28
  • My problem was the missing entry in the open_basedir That was the solution on Centos 7 and Plesk 12.0.18 http://serverfault.com/questions/628454/owncloud-refusing-to-access-data-directory/720080#720080 –  Sep 04 '15 at 11:42

12 Answers12

53

Found the issue. Turns out, Apache wants access to not just the directory I'm serving, /home/billy/refresh-app/, but also every directory above that, namely /home/billy/, /home, and /. (I have no idea why... giving someone access to a subdirectory shouldn't require giving away permissions to everything above that subdirectory....)

I would guess it's looking for .htaccess or something, or perhaps *nix being strange about how it treats permissions for directory transversal.

Billy ONeal
  • 1,120
  • 1
  • 8
  • 12
  • 16
    It's not strange. That's how it works. You have to have +x for the entire path you're trying to access. – bahamat Sep 24 '11 at 20:50
  • 4
    @bahamat: That doesn't make any sense. Why would anyone need execute privileges for files that don't get executed? (This completely discounting that one shouldn't have to give away rights to /... pretty much ever) Systems with ACLs usually have a separate directory transverse option. You'd think after 30 years since Unix was designed, and wide availability of ACL systems, that ACLs would be the standard. :sigh: – Billy ONeal Sep 25 '11 at 01:07
  • 12
    I believe he meant +x on directories. Try switching into the user and cd-ing to the directory w/o +x. From memory +x allows you to access but not see the directory while +r allows you to list files and +w allows you to change files in said directory –  Sep 25 '11 at 20:42
  • 2
    @BillyONeal: the phrase "entire path" implies directories. – bahamat Sep 26 '11 at 19:46
  • yep i double checked and i remembered correctly. If you only have +x on the directories and nothing else a user cant do (or see) anything to them except browse a known path to a directory were they have permissions. So essentially you probably be ok granting o+x (x to others) –  Sep 28 '11 at 02:40
  • 6
    This is correct behavior in unix. You need execute privileges (+x for g or o) on parent directories that you're trying to change into sub-directories underneath them. – slm Dec 28 '12 at 01:14
  • Then, what was the solution? Did you give permissions or updated the configuration in httpd.conf? – ronnyfm Sep 28 '16 at 14:56
  • 1
    Can somebody translate this into a chmod command? I'm struggling with terminal. Tnx! – Flion May 20 '18 at 23:09
  • It seems like there should be a way to configure apache to open a file descriptor for the directory for a directory before downgrading to the www-data user. I assume that is mod_userdir works, since it allows you to view the public_html dir even if the home directory isn't executable. – Thayne Aug 19 '22 at 20:36
19

I had a similar problem where I had the following configuration which used to work with Ubuntu 10, but stopped working with Ubuntu 14 (Apache 2.4):

<Directory /var/www/vhosts/example.com/httpdocs>
    Options +FollowSymLinks
</Directory>

Switching to this sorted the problem (even though the web server user wasn't able to directly access the symlink)

<Directory /var/www/vhosts/example.com/httpdocs>
    Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch
</Directory>

From what I can tell its just the -SymLinksIfOwnerMatch setting and has something to do with changes in Apache 2.4 but I haven't tried researching the exact cause.

I also thought it could be down to openbase_dir restrictions in PHP but it wasn't that.

icc97
  • 857
6

This error can also be caused if you are linking to an encrypted folder.

cherrysoft
  • 576
4

You may also want to check if selinux is enforced or not. On RedHat/Fedora, execute this:

getenforce

If the response is 'Enforcing', you may want to execute

setenforce 0

and try the url again in your browser.

Note that I am not saying that disabling selinux is the best way to solve this problem, but it may help to identify the cause.

botkop
  • 218
3

It appears "FollowSymLinks" is the option you need in httpd.conf. It is detailed here. Looks like you might need a rule in htdocs too...but it's the option you need.

RobotHumans
  • 1,492
3

The simplest solution for me was to create a .htaccess file in the root of my site with this code:

Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch
gerlag
  • 31
2
Options +FollowSymLinks

Create a .htaccess file with this did the trick for me (put it in a dir before the symlink).

Codebeat
  • 121
  • In my case, I was making /var/www a symbolic link to another intermediate symbolic link. If you must use symbolic links, make it a symbolic link DIRECTLY to your destination. – Sridhar Sarnobat Jun 27 '19 at 17:34
2

@Billey ONeil @Flion I couldnt answer in line (low rep count)
Here was I had to do:
(note: alias ll='ls $LS_OPTIONS -lh')

root@Bellach:/var/www/html# ll lego
lrwxrwxrwx 1 root root 43 Sep 10 21:21 lego -> /home/DATA/Documents/Chris/Synced/web/lego/

Now look at every directory in the source link

root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/web/
drwxr-xr-x 9 chris chris 4.0K Sep 12  2017 /home/DATA/Documents/Chris/Synced/web/
root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/
drwxr-xr-x 20 chris chris 4.0K Mar 27 18:52 /home/DATA/Documents/Chris/Synced/
root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/
drwxr-xr-x 36 chris chris 4.0K Jun 17 23:31 /home/DATA/Documents/Chris/
root@Bellach:/var/www/html# ll -d /home/DATA/Documents/
drwxr-xr-x 21 chris chris 4.0K Aug  7 18:22 /home/DATA/Documents/
root@Bellach:/var/www/html# ll -d /home/DATA/
drwxrwxr-- 10 root users 4.0K Sep 10 11:17 /home/DATA/
root@Bellach:/var/www/html# ll -d /home/
drwxr-xr-x 5 root root 4.0K Sep 10 10:37 /home/

/home/DATA directory is the culprit.
Fix it with this:

root@Bellach:/var/www/html# chmod +x /home/DATA/
root@Bellach:/var/www/html# ll -d /home/DATA/
drwxrwxr-x 10 root users 4.0K Sep 10 11:17 /home/DATA/

The fix is immediate - no need to restart apache.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
ausinch
  • 21
1

In addition to the answer by @BillyONeal this same error can occur if the the symbolic link has a different owner/group than the target folder.

For example, this folder setup will generate the Symbolic link not allowed or link target not accessible error:

[root@app mobile]# ls -l
total 8
lrwxrwxrwx   1 random    nobody    6      Oct 26 16:27 binary -> bundle
drwxrwxr-x+ 10 app       app       4096   Oct 26 16:26 bundle
drwxrwxr-x+  4 app       app       4096   Oct  5  2019 download
[root@app mobile]#

However, this folder setup works fine:

[root@app mobile]# ls -l
total 8
lrwxrwxrwx   1 app       app       6      Oct 26 16:27 binary -> bundle
drwxrwxr-x+ 10 app       app       4096   Oct 26 16:26 bundle
drwxrwxr-x+  4 app       app       4096   Oct  5  2019 download
[root@app mobile]#
Elliot B.
  • 203
0

My solution was to create a shared folder for all repositories named /home/repo.

Then symlink from my own home like: ln -s /home/repo ~/Code so ~/Code/www.xxxx.com/public points to /home/repo/www.xxxx.com/public

and also a link into apache web root /var/www/html points to /home/repo/www.xxxx.com/public

Found it here: https://github.com/alghanmi/ubuntu-desktop_setup/wiki/Git-Local-Repository-Setup-Guide

With some symlink+user groups acrobacy you can have multiple users/versions deployed.

Eduardo Baitello
  • 626
alo Malbarez
  • 1,003
-1

that what solve my problem after allow all permission and allow followsymlink " In the case of FollowSymLinks specifically it MUST be inside a Directory structure when within a .conf file. From the Apache current manual

The FollowSymLinks and SymLinksIfOwnerMatch Options work only in sections or .htaccess files.

answer from here

Romeo Ninov
  • 17,484
yoni333
  • 99
  • 1
-3

You might also adjust your SELinux settings, and setenforce may not be on your path. So try this:

sudo /usr/sbin/setenforce 0

and to make this persist between reboots

sudo vi /etc/sysconfig/selinux
Rami Jaamour
  • 1