| View previous topic :: View next topic |
| Author |
Message |
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
 Posted: Thu Apr 10, 2003 4:36 am Post subject: apache and dirs/symlinks.... |
 |
|
i can add files to /home/httpd/htdocs and they're viewable/accessable, but if i add a dir/symlink and try to open it with a browser, i get a 403. what's wrong? i chmodded 755 ALL of /home....(which includes any place i'd be symlinking to).
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
 |
Jimbow
Guru
Joined: 18 Feb 2003
Posts: 597
Location: Silver City, NM
|
| Posted: Thu Apr 10, 2003 9:14 am Post subject: |
|
|
Apache is highly configurable with regard to symlinks. One thing you need to make sure is that you create a <Directory> entry for the directory you are linking to. For example, if I make a symlink from /home/httpd/htdocs/my-stuff to /home/me/my_htdocs/ then I need to have a directory entry in the Apache config allowing access to /home/me/my_htdocs.
There are also settings for things like "FollowSymLinksIfOwnersMatch" (spelling?) which will only follow symlinks if the same person owns the link and the directory linked to. I think that by default Apache will not follow symlinks and you need to give it a directive in the config file if you want it to. This is all explained decently in the Apache docs.
This sounds like a PITA, but it is actually pretty great because it provides good security especially for multi-user systems.
_________________
After Perl everything else is just assembly language. |
|
| Back to top |
|
|
Kulfaangaren!
Apprentice
Joined: 11 Jan 2003
Posts: 176
Location: Borås, Sweden
|
| Posted: Thu Apr 10, 2003 1:21 pm Post subject: |
|
|
| Jimbow wrote: | | Apache is highly configurable with regard to symlinks. One thing you need to make sure is that you create a <Directory> entry for the directory you are linking to. For example, if I make a symlink from /home/httpd/htdocs/my-stuff to /home/me/my_htdocs/ then I need to have a directory entry in the Apache config allowing access to /home/me/my_htdocs. |
Well...not really...
If you have the dirs and links as stated above and /home/httpd/htdocs is the document root you would only need to add +FollowSymlinks to the Options row of the <Location DocumentRoot>...</Location> portion of the config file to have it all working, that is unless you want/need to explicitly state options or access rights for the directory /home/me/my_htdocs.
| Jimbow wrote: | There are also settings for things like "FollowSymLinksIfOwnersMatch" (spelling?) which will only follow symlinks if the same person owns the link and the directory linked to. I think that by default Apache will not follow symlinks and you need to give it a directive in the config file if you want it to. This is all explained decently in the Apache docs.
This sounds like a PITA, but it is actually pretty great because it provides good security especially for multi-user systems. |
Yes, you are right that Apache will not normaly follow links, but I can think of at least one case where the above FollowSymLinksIfOwnersMatch is not useable.
Normally you have one user/group that owns apache may it be apache/apache or nobody/nobody, it doesn't matter...projects however might be owned by different users/groups and then the link and the target directory will not match making the request fail. Also....even if you decide to chown the project directory so that the link creator and the directory owner matches, what if the directory is set group-writeable and someone with that group creates a link to some sensitive file ? I think that one can say that once you allow symlinks at all, Pandoras box is allready open.
I would probably solve it by allowing links with FollowSymlinks and create a projects directory under the document root where I would move all the global projects (the only ones that should be linked in under the document root anyway) and chown -R apache:apache <directory> them.
Then I would uncomment the configuration for user homepages in the config file ( <Directory /home/*/www>...</Directory> ) and make sure that the options for those directories doesn't allow symlinks at all. Then they could have their local projects under the users home directory and global projects would still be relatively safe even though we allow symlinks.
Am I missing something ?
// Fredrik |
|
| Back to top |
|
|
Jimbow
Guru
Joined: 18 Feb 2003
Posts: 597
Location: Silver City, NM
|
| Posted: Thu Apr 10, 2003 5:21 pm Post subject: |
|
|
| Kulfaangaren! wrote: | Well...not really...
If you have the dirs and links as stated above and /home/httpd/htdocs is the document root you would only need to add +FollowSymlinks to the Options row of the <Location DocumentRoot>...</Location> portion of the config file to have it all working, that is unless you want/need to explicitly state options or access rights for the directory /home/me/my_htdocs.
|
This was not my experience when I was running servers for a university. But that was a couple of years ago so maybe things have changed since then.
| Quote: | Yes, you are right that Apache will not normaly follow links, but I can think of at least one case where the above FollowSymLinksIfOwnersMatch is not useable.
Normally you have one user/group that owns apache may it be apache/apache or nobody/nobody, it doesn't matter...projects however might be owned by different users/groups and then the link and the target directory will not match making the request fail. |
I did this by having the link and the directory linked to both owned by root. I made a group for each user with that user's name as the group name (a'la redhat). The directory linked to had the group set to the user's group with rwx permission. (The only downside of this was that the user could delete this directory but not recreate it. It happened a couple of times but wasn't a big deal).
The "owner" of Apache is irrelevant it is just the owner of the symlink and the directory that matters.
The failure you mention above is exactly the situation that ifOwnersMatch is designed to avoid. This truly is a feature not a bug.
| Quote: | | Also....even if you decide to chown the project directory so that the link creator and the directory owner matches, what if the directory is set group-writeable and someone with that group creates a link to some sensitive file ? I think that one can say that once you allow symlinks at all, Pandoras box is allready open. |
Again I disagree. On my systems this is protected twice. First there is the standard directory entry in the Apache config that denies access to / and below by default. (which is why Apache config directory entries are needed for directories linked to: they need to override this default). Second, all sensitive files on my systems are owned by root and the directories containing them are owned by root. If a user can create a symlink owned by root then Apache is the least of my worries.
The punchline is that this system worked really well for me. At the beginning of each semester I would get a list of all faculty and all their classes and run a program that created all the directories and symlinks. Everything that a user could modify was under their /home/username/ directory. There were large directories under htdocs that contained many symlinks to user directories. An "ls -l" in those directories showed how the whole system was layed out. There were many other very nifty features (archiving and such) but this is getting too long already.
IMO the Apache symlink and permission designs are pretty close to ideal.
_________________
After Perl everything else is just assembly language. |
|
| Back to top |
|
|
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
| Posted: Fri Apr 11, 2003 11:25 pm Post subject: n00b |
|
|
I added this to /etc/apache2/conf/commonapache2.conf:
| Code: | <Directory /home/carrett/mp3>
AllowOverride All
Options MultiViews -Indexes Includes FollowSymLinks
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> |
and i did | Code: | | /etc/init.d/apache2 restart |
and still i get a 403 when i try to acess the symlink to /home/carrett/mp3 that i put in /home/httpd/htcdocs
why?
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
|
Jimbow
Guru
Joined: 18 Feb 2003
Posts: 597
Location: Silver City, NM
|
| Posted: Sat Apr 12, 2003 1:02 am Post subject: |
|
|
Okay. I dl'ed apache2. In addition to the above, there is one more thing required in your commonapache.conf. Add the line below: | Code: | <IfModule mod_alias.c>
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/"..
#
Alias /icons/ /home/httpd/icons/
Alias /doc /usr/share/doc
Alias /carret /home/carrett/mp3 # ADD THIS LINE |
You need to have two things to access a new part of your file system. You need the <Directory ...> to give Apache permission to look at that part of your file system and you need an Alias (there are other directives that do the same thing) to map the file system path to a URL path.
HTH
_________________
After Perl everything else is just assembly language. |
|
| Back to top |
|
|
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
| Posted: Sun Apr 13, 2003 12:56 am Post subject: logic?? |
|
|
here are the relative parts of my /etc/apache2/conf/commonapache2.conf: | Code: | <Directory /home/carrett/mp3>
Options -All -Multiviews
</Directory>
....
<IfModule mod_alias.c>
...
Alias /mp3 /home/carrett/mp3
...
</IfModule>
|
what the hell? i'm still getting a 403!!
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
|
Jimbow
Guru
Joined: 18 Feb 2003
Posts: 597
Location: Silver City, NM
|
| Posted: Sun Apr 13, 2003 1:32 am Post subject: |
|
|
Okay, you're real close. Since we've denied access to / and below, the directory entry has to allow access again. Try this: | Code: | <Directory /home/carrett/mp3>
Options -All -Multiviews
Order allow,deny
Allow from all
</Directory> |
_________________
After Perl everything else is just assembly language. |
|
| Back to top |
|
|
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
| Posted: Sun Apr 13, 2003 6:14 am Post subject: sorry....still problems. |
|
|
/etc/apache2/conf/commonapache2.conf:
| Code: | <Directory /home/carrett/mp3>
Options -All -Multiviews
Order allow,deny
Allow from all
</Directory>
...
<IfModule mod_alias.c>
Alias /icons/ /home/httpd/icons/
Alias /doc /usr/share/doc
Alias /home/carrett/mp3 /mp3
....
</IfModule> |
and i have a symlink to /home/carrett/mp3 in /home/httpd/htdocs, yet i still receive a 403...i've also done for good measure. damn it!!!
possible problem? this is in commonapache2.conf by default:
| Code: | <Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory> |
however, i took it out, and the stuff still don't work....maybe you want to see all of my commonapache2.conf?
i'm very confused.
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
|
theDon
n00b
Joined: 21 Oct 2002
Posts: 6
|
| Posted: Sun Apr 13, 2003 6:22 am Post subject: |
|
|
| you will need +x on a dir, otherwise you can't cd into it. |
|
| Back to top |
|
|
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
| Posted: Sun Apr 13, 2003 6:27 am Post subject: how? |
|
|
you mean ? i don't know how to do what you say.
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
|
Jimbow
Guru
Joined: 18 Feb 2003
Posts: 597
Location: Silver City, NM
|
| Posted: Sun Apr 13, 2003 6:38 am Post subject: |
|
|
I realize that this is obvious, but I want to make sure you are restarting apache2. After that, I can only give more general advice because the recipe I gave you works for me.
You should be always checking the apache2 error log file. Keep a window open with tail -f $LOG_FILE running. It often gives good hints as to why access was refused.
My /home/httpd/htdocs directory came with a working symlink out of the box: | Code: | | manual -> /usr/share/doc/apache-2.0.45/manual/ |
If this is still on your system, make sure it works and then try to make your non-working symlink just like it as much as possible.
I also suggest enabling server-info and server-status. They may offer clues.
I will send you a pm with my email so you can email me your commonapache2.conf no need to clog up the forum.
Don't worry about the +x, your 755 already took care of that, you don't have to do any more. For future reference the command to use would be
which means grant all (user, group, other) execution permission.
_________________
After Perl everything else is just assembly language. |
|
| Back to top |
|
|
carrett
Apprentice
Joined: 22 Mar 2003
Posts: 273
|
| Posted: Sun Apr 13, 2003 7:23 am Post subject: weird weird weird |
|
|
i did restart apache every time.
also, i don't think that manual is anywhere in commonapache2.conf
the manual symlink is in my htdocs and it has the exact same permissions as my mp3 symlink so it should be working. this is...weird.
_________________
I'm against picketing, but I don't know how to show it. |
|
| Back to top |
|
|
theDon
n00b
Joined: 21 Oct 2002
Posts: 6
|
| Posted: Sun Apr 13, 2003 8:38 am Post subject: Re: how? |
|
|
| carrett wrote: | | you mean ? i don't know how to do what you say. |
| Code: | | chmod -R +ax /home/your_www_root |
|
|
| Back to top |
|
|
skiingprep
n00b
Joined: 24 Apr 2003
Posts: 21
|
| Posted: Sun Apr 27, 2003 8:44 pm Post subject: Re: sorry....still problems. |
|
|
| carrett wrote: | /etc/apache2/conf/commonapache2.conf:
| Code: | <Directory /home/carrett/mp3>
Options -All -Multiviews
Order allow,deny
Allow from all
</Directory>
...
<IfModule mod_alias.c>
Alias /icons/ /home/httpd/icons/
Alias /doc /usr/share/doc
Alias /home/carrett/mp3 /mp3
....
</IfModule> |
and i have a symlink to /home/carrett/mp3 in /home/httpd/htdocs, yet i still receive a 403...i've also done for good measure. damn it!!!
possible problem? this is in commonapache2.conf by default:
| Code: | <Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory> |
however, i took it out, and the stuff still don't work....maybe you want to see all of my commonapache2.conf?
i'm very confused. |
heh, i know what's wrong..
look at your alias..
Alias /doc /usr/share/doc
Alias /home/carrett/mp3 /mp3
the syntax is "Alias fakename realname"
so it should be:
| Code: | | Alias /mp3 /home/carrett/mp3 |
-brian |
|
| Back to top |
|
|
|
Networking & Security
