47

I've got a brand new CentOS 6 installation, which has a symlink in the document root to my development files:

[root@localhost html]# ls -l total 4 -rwxrwxrwx. 1 root root 0 Sep 18 20:16 index.html -rwxrwxrwx. 1 root root 17 Sep 18 20:16 index.php lrwxrwxrwx. 1 root root 24 Sep 18 20:19 refresh-app -> /home/billy/refresh-app/

My httpd.conf has this:

<Directory "/"> Options All AllowOverride None Order allow,deny Allow from all </directory>

The target of the symbolic link has permissions which should allow apache to read anything it wants:

 [root@localhost billy]# ls -l total 40 (Some entries were omitted because the list was too long drwxr-xr-x. 7 billy billy 4096 Sep 18 20:03 refresh-app

I've also tried disabling SELinux by changing /etc/selinux/conf:

SELINUX=disabled

Yet no matter what I do, when someone tries to go to that link, http://localhost/refresh-app/, I get a 403 FORBIDDEN error page and this is written in the /var/log/httpd/error_log:

Symbolic link not allowed or link target not accessible

Why can't Apache access the target of the symlink?

Improve this question
6
  • What user is apache running as? Can you actually read that resource as that user? Commented Sep 19, 2011 at 16:23
  • 1
    As well, you're better off running selinux in permissive mode and then using sealert to parse the audit log - this lets you see why/how SELinux is denying it and often even gives you a resolution. Commented Sep 19, 2011 at 16:23
  • @draeath: I have no idea how to check for that. Commented Sep 19, 2011 at 16:43
  • @draeath: 1. This isn't a production box; I don't care if SELinux is off. 2. In any case, I am just troubleshooting at this point -- I'll probably restore it once I figure out the root cause. Commented Sep 19, 2011 at 16:44
  • Not to worry this is a common oversight, first time i did it i was stuck for days, serverfault.com/questions/313485/… :: Its one of those errors. :D Commented Sep 25, 2011 at 13:28

12 Answers 12

Reset to default
54

Found the issue. Turns out, Apache wants access to not just the directory I'm serving, /home/billy/refresh-app/, but also every directory above that, namely /home/billy/, /home, and /. (I have no idea why... giving someone access to a subdirectory shouldn't require giving away permissions to everything above that subdirectory....)

I would guess it's looking for .htaccess or something, or perhaps *nix being strange about how it treats permissions for directory transversal.

Improve this answer
9
  • 18
    It's not strange. That's how it works. You have to have +x for the entire path you're trying to access. Commented Sep 24, 2011 at 20:50
  • 4
    @bahamat: That doesn't make any sense. Why would anyone need execute privileges for files that don't get executed? (This completely discounting that one shouldn't have to give away rights to /... pretty much ever) Systems with ACLs usually have a separate directory transverse option. You'd think after 30 years since Unix was designed, and wide availability of ACL systems, that ACLs would be the standard. :sigh: Commented Sep 25, 2011 at 1:07
  • 12
    I believe he meant +x on directories. Try switching into the user and cd-ing to the directory w/o +x. From memory +x allows you to access but not see the directory while +r allows you to list files and +w allows you to change files in said directory Commented Sep 25, 2011 at 20:42
  • 2
    @BillyONeal: the phrase "entire path" implies directories. Commented Sep 26, 2011 at 19:46
  • 7
    This is correct behavior in unix. You need execute privileges (+x for g or o) on parent directories that you're trying to change into sub-directories underneath them. Commented Dec 28, 2012 at 1:14
19

I had a similar problem where I had the following configuration which used to work with Ubuntu 10, but stopped working with Ubuntu 14 (Apache 2.4):

<Directory /var/www/vhosts/example.com/httpdocs> Options +FollowSymLinks </Directory>

Switching to this sorted the problem (even though the web server user wasn't able to directly access the symlink)

<Directory /var/www/vhosts/example.com/httpdocs> Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch </Directory>

From what I can tell its just the -SymLinksIfOwnerMatch setting and has something to do with changes in Apache 2.4 but I haven't tried researching the exact cause.

I also thought it could be down to openbase_dir restrictions in PHP but it wasn't that.

Improve this answer
6

This error can also be caused if you are linking to an encrypted folder.

Improve this answer
4

You may also want to check if selinux is enforced or not. On RedHat/Fedora, execute this:

getenforce

If the response is 'Enforcing', you may want to execute

setenforce 0

and try the url again in your browser.

Note that I am not saying that disabling selinux is the best way to solve this problem, but it may help to identify the cause.

Improve this answer
1
  • this fixed the sym link problem but is there any negative effects? Commented Nov 6, 2018 at 7:16
3

It appears "FollowSymLinks" is the option you need in httpd.conf. It is detailed here. Looks like you might need a rule in htdocs too...but it's the option you need.

Improve this answer
1
  • 3
    See Options All -- FollowSymLinks is already specified. Commented Sep 19, 2011 at 16:43
3

The simplest solution for me was to create a .htaccess file in the root of my site with this code:

Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch
Improve this answer
1
  • This in addition to sudo chmod 755 for all the parent directories worked for me. Commented Apr 2, 2022 at 4:31
2 
Options +FollowSymLinks

Create a .htaccess file with this did the trick for me (put it in a dir before the symlink).

Improve this answer
1
  • In my case, I was making /var/www a symbolic link to another intermediate symbolic link. If you must use symbolic links, make it a symbolic link DIRECTLY to your destination. Commented Jun 27, 2019 at 17:34
2

@Billey ONeil @Flion I couldnt answer in line (low rep count)
Here was I had to do:
(note: alias ll='ls $LS_OPTIONS -lh')

root@Bellach:/var/www/html# ll lego lrwxrwxrwx 1 root root 43 Sep 10 21:21 lego -> /home/DATA/Documents/Chris/Synced/web/lego/

Now look at every directory in the source link

root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/web/ drwxr-xr-x 9 chris chris 4.0K Sep 12 2017 /home/DATA/Documents/Chris/Synced/web/ root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/ drwxr-xr-x 20 chris chris 4.0K Mar 27 18:52 /home/DATA/Documents/Chris/Synced/ root@Bellach:/var/www/html# ll -d /home/DATA/Documents/Chris/ drwxr-xr-x 36 chris chris 4.0K Jun 17 23:31 /home/DATA/Documents/Chris/ root@Bellach:/var/www/html# ll -d /home/DATA/Documents/ drwxr-xr-x 21 chris chris 4.0K Aug 7 18:22 /home/DATA/Documents/ root@Bellach:/var/www/html# ll -d /home/DATA/ drwxrwxr-- 10 root users 4.0K Sep 10 11:17 /home/DATA/ root@Bellach:/var/www/html# ll -d /home/ drwxr-xr-x 5 root root 4.0K Sep 10 10:37 /home/

/home/DATA directory is the culprit.
Fix it with this:

root@Bellach:/var/www/html# chmod +x /home/DATA/ root@Bellach:/var/www/html# ll -d /home/DATA/ drwxrwxr-x 10 root users 4.0K Sep 10 11:17 /home/DATA/

The fix is immediate - no need to restart apache.

Improve this answer
1

In addition to the answer by @BillyONeal this same error can occur if the the symbolic link has a different owner/group than the target folder.

For example, this folder setup will generate the Symbolic link not allowed or link target not accessible error:

[root@app mobile]# ls -l total 8 lrwxrwxrwx 1 random nobody 6 Oct 26 16:27 binary -> bundle drwxrwxr-x+ 10 app app 4096 Oct 26 16:26 bundle drwxrwxr-x+ 4 app app 4096 Oct 5 2019 download [root@app mobile]#

However, this folder setup works fine:

[root@app mobile]# ls -l total 8 lrwxrwxrwx 1 app app 6 Oct 26 16:27 binary -> bundle drwxrwxr-x+ 10 app app 4096 Oct 26 16:26 bundle drwxrwxr-x+ 4 app app 4096 Oct 5 2019 download [root@app mobile]#
Improve this answer
0

My solution was to create a shared folder for all repositories named /home/repo.

Then symlink from my own home like: ln -s /home/repo ~/Code so ~/Code/www.xxxx.com/public points to /home/repo/www.xxxx.com/public

and also a link into apache web root /var/www/html points to /home/repo/www.xxxx.com/public

Found it here: https://github.com/alghanmi/ubuntu-desktop_setup/wiki/Git-Local-Repository-Setup-Guide

With some symlink+user groups acrobacy you can have multiple users/versions deployed.

Improve this answer
-1

that what solve my problem after allow all permission and allow followsymlink " In the case of FollowSymLinks specifically it MUST be inside a Directory structure when within a .conf file. From the Apache current manual

The FollowSymLinks and SymLinksIfOwnerMatch Options work only in sections or .htaccess files.

answer from here

Improve this answer
-3

You might also adjust your SELinux settings, and setenforce may not be on your path. So try this:

sudo /usr/sbin/setenforce 0

and to make this persist between reboots

sudo vi /etc/sysconfig/selinux
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.