Login/Register
403 Forbidden on symlink in web root
Asked Answered
Solved phpapachesymlink
I

2

8

I am on a shared hosting package on a LAMP stack with no shell access.

I can create symlinks using PHP's symlink() function.

Let's say my web root is /home/www/user1/public

Let's say I have a real directory named /home/www/user1/public/real_dir

And I create a symlink named /home/www/user1/public/fake_dir pointing to real_dir

Why would I get a 403 Forbidden when trying to access www.mydomain.com/fake_dir but not when trying to access www.mydomain.com/real_dir?

It shouldn't be a rights problem because when I create a file in PHP, I can access that all right.

I tried switching FollowSymlinks off and on in .htaccess (it was on), but no luck.

Could it be that FollowSymlinks is defined as not overwritable in a .htaccess file? Or is there something else to be aware of when working with Symlinks in Apache?

Ianteen answered 7/2, 2010 at 19:56 Comment(0)
D
4

Apache has to be configured to allow access to the directory on the filesystem. This has to be done by a system administrator by inserting a <Directory> directive in the apache configuration files (httpd.conf).

Since the real directory is inside the web root it must be accessible, but FollowSymLinks may not have been enabled for the directory - this also has to be added to the <Directory> directive.

See http://httpd.apache.org/docs/2.0/mod/core.html#directory

Dovetailed answered 7/2, 2010 at 20:12 Comment(13)
So if it's not configured that way, and FollowSymlinks is off, trying to access a symlink (even though the target is also in the web root) will raise a 403? Is this the reason?Ianteen
Sorry, I just re-read your question and saw that the real directory is in the web root, so it will be accessible, however FollowSymLinks may not be enabled. I've updated my answer to reflect this.Dovetailed
-1 This is still not an answer to OP's question. OP seems perfectly aware of the FollowSymlinks option. But he asks whether setting this from .htaccess can be overruled from httpd.conf.Serafinaserafine
My answer says that FollowSymLinks must be enabled for a directory using the <Directory> directive in the httpd.conf file.Dovetailed
Does anybody know a way to tell whether FollowSymlinks is enabled without access to the apache configuration?Ianteen
@Pekka: Yes, if you are able to rewrite urls in .htaccess (with mod_rewrite rules) this should tell you that FollowSymlinks works.Serafinaserafine
Ahh, interesting. In that case, FollowSymlinks is on, I can rewrite using mod_rewrite. (To preempt the obvious next question, I can't use mod_rewrite in the current context because my ultimate goal is to symlink to a directory outside the web root.)Ianteen
@sea36: Setting the FollowSymLinks directive from within .htaccess is usually perfectly legal. Therefor your answer is still not an answer to OP's his question.Serafinaserafine
I'm just seeing that the symlink's owner is PHP, but the target's is the web server. Maybe that causes the funny behaviour. I'll try to chown from within my PHP script.Ianteen
@Pekka: Whether this is actually even possible or not (I don't know really)... but, are you sure you even want to do this?! This basically defeats the purpose of hiding directories from the root and could be considered a huge security issue IMHO. Heck, you might as well put the directory in the root then anyway, no?Serafinaserafine
@fireeyedboy I am deploying a web app to the web root from a svn checkout. I have three or four separate applications (documentation, tests, tools) that I want to keep out of the way of the central web app, but as I want everything under the same domain, I would like to have them there as symlinks. It's not really necessary - I could just move the apps into the web root as you say - but it would make for a nice, clean structure. It's o.k. security wise because the directories I symlink to are safe for public use.Ianteen
Aargh, due to the safe mode I can't even change the owner of my symlink. I think I am going to put the directories into the web root for now. Thanks for your time everyone.Ianteen
@fireeyedboy FollowSymLinks may have been disabled for the directory in the apache configuration files. If this is the case then the declaration in .htaccess will be ignored unless the apache configuration also sets an appropriate AllowOverride directive.Dovetailed
R
0

This is possible SELinux security issue.

cat /selinux/enforce if the value is 1, set it to 0, then restart apache.

Raid answered 8/3, 2011 at 3:49 Comment(1)
The OP doesn't have shell access, as stated in the first line of his question.Chigoe

© 2022 - 2024 — McMap. All rights reserved.