You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Thomas Blake <an...@azulmx.com> on 2004/03/25 23:26:24 UTC
[users@httpd] FollowSymLinks in 2.0
Hello
I had trouble with following symlinks in an upgrade from 1.3 to 2.0
It seems that there's been a change in policy: as far as I can tell Apache now
only follows symlinks within the document tree, whereas before it followed
them anywhere.
Is this correct?
(I didn't see it mentioned in the documentation. If there has been a change, I
think it would be good to mention it in the definition of the FollowSymLinks
option of the Options directive.)
Thanks
Andrew Blake
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FollowSymLinks in 2.0
Posted by Andrew Thomas Blake <an...@azulmx.com>.
On Thursday 25 March 2004 21:23, Joshua Slive wrote:
> >
> > (I'm assuming that the note about the error document is irrelevant; I'll
> > fix that later...)
>
> Maybe, maybe not. You should see two error messages in the error log.
> You might be getting confused about which error comes from where.
>
> > and in the error log:
> >
> > *********************************
> > [Thu Mar 25 19:00:06 2004] [error] [client 127.0.0.1] Symbolic link not
> > allowed: /home/hosts/iifac/cgi-bin/a.cgi
> > ********************************
>
> Show us what the relvant part of your config looks like.
>
> Also, you are using an ancient version of Apache 2.0. I don't know any
> changes that would affect this particular problem, but it is in general
> hard to debug a two-year-old version of the server.
>
Hi Joshua
I didn't realize it was so old. They made me change to a mac, so I installed
Yellow Dog Linux 3.0.1. I'll see about upgrading anyway, but I doubt this
problem is anything but something obvious I'm doing wrong
I don't have much confidence in picking out the relevant bit of httpd.conf, so
I think I'll include here what I think is relevant, and then put the whole
thing at the end of this message, just in case. Sorry if that's a bother. I
took out nearly all the comments, so it's not too long...
*****************************
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/hosts>
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options Indexes Includes FollowSymLinks
Allow from all
Order allow,deny
</Directory>
<Directory /var/www/icons>
Options Indexes MultiViews
Allow from all
Order allow,deny
</Directory>
<Directory /var/www/cgi-bin>
Options ExecCGI FollowSymLinks
AllowOverride None
Allow from all
Order allow,deny
</Directory>
<Directory /home/andrew/cgi-dev/iifac>
AllowOverride None
Options None
Allow from none
Order allow,deny
</Directory>
NameVirtualHost *
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /var/www/html
ServerName chloe
</VirtualHost>
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /home/hosts/iifac
ServerName iifac.loc
ServerAlias www.iifac.loc
<Directory /home/hosts/iifac>
Options FollowSymLinks
Allow from all
Order allow,deny
</Directory>
ScriptAlias /cgi-bin/ /home/hosts/iifac/cgi-bin/
<Directory /home/hosts/iifac/cgi-bin>
Options FollowSymLinks
Allow from all
Order allow,deny
</Directory>
</VirtualHost>
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /home/hosts/htw
ServerName haztuweb.loc
ServerAlias www.haztuweb.loc
ScriptAlias /cgi-bin/ /home/hosts/htw/cgi-bin/
<Directory /home/hosts/htw/cgi-bin>
Options ExecCGI FollowSymLinks
Allow from all
Order allow,deny
</Directory>
</VirtualHost>
*****************************
(You might see a bit of overkill like specifying FollowSymLinks absolutely
everywhere, and both ScriptAlias and ExecCGI and AddHandler for .cgi
extensions--and .htaccess files that say all the same things again--it's just
desperation!)
You will notice that I made an attempt even to include the directory where I
compile (/home/andrew/cgi-dev/iifac) into the server directory tree. In fact,
this directory is the current location of the test cgi script pointed to by
the soft link a.cgi, but referring to that directory in the conf file hasn't
helped either.
Anyway, as the documentation says, the only directory that should count is the
one that the soft link is in (/home/hosts/iifac/cgi-bin)
As far as the error log goes, here are 4 consecutive lines resulting from 4
requests for the cgi.
[Fri Mar 26 11:16:40 2004] [error] [client 127.0.0.1] Symbolic link not
allowed: /home/hosts/iifac/cgi-bin/a.cgi
[Fri Mar 26 11:17:03 2004] [error] [client 127.0.0.1] Symbolic link not
allowed: /home/hosts/iifac/cgi-bin/a.cgi
[Fri Mar 26 11:17:18 2004] [error] [client 127.0.0.1] Symbolic link not
allowed: /home/hosts/iifac/cgi-bin/a.cgi
[Fri Mar 26 11:17:26 2004] [error] [client 127.0.0.1] Symbolic link not
allowed: /home/hosts/iifac/cgi-bin/a.cgi
Do you think that the symbolic link referred to might be to do with the second
part of the error message (the part I was thinking was irrelevant)? You're
right, it does seem that the error log should contain 2 error messages per
request.
Here's the whole conf file...
***************************************
## Andrew makes a very bare httpd.conf, to really see what's going on
ServerTokens OS
ServerRoot "/etc/httpd"
ScoreBoardFile "/var/run/httpd.scoreboard"
PidFile "/var/run/httpd.pid"
TimeOut 300
KeepAlive false
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 150
MaxRequestsPerChild 100
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
</IfModule>
Listen *:80
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
User apache
Group apache
ServerAdmin andrew@azulmx.com
ServerName chloe
UseCanonicalName on
DocumentRoot "/var/www/html"
<LocationMatch "^/$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
<IfModule mod_userdir.c>
UserDir "disable"
</IfModule>
DirectoryIndex
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig "/etc/mime.types"
DefaultType text/plain
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
</IfModule>
HostNameLookups Off
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature on
Alias /icons/ "/var/www/icons/"
Alias /manual "/var/www/manual"
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
IndexOptions FancyIndexing VersionSort NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .et
AddLanguage fr .fr
AddLanguage de .de
AddLanguage he .he
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddLanguage pl .po
AddLanguage kr .kr
AddLanguage pt .pt
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pt-br .pt-br
AddLanguage ltz .ltz
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz
AddLanguage ru .ru
AddLanguage tw .tw
AddLanguage zh-tw .tw
AddLanguage hr .hr
LanguagePriority en es fr de da nl et el it ja kr no pl pt pt-br ltz ca sv tw
ForceLanguagePriority Prefer Fallback
AddDefaultCharset ISO-8859-1
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
# The set below does not map to a specific (iso) standard
# but works on a fairly wide range of browsers. Note that
# capitalization actually matters (it should not, but it
# does for some browsers).
#
# See ftp://ftp.isi.edu/in-notes/iana/assignments/character-sets
# for a list of sorts. But browsers support few.
#
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
AddType application/x-tar .tgz
AddHandler cgi-script .cgi
#
# For files that include their own HTTP headers:
#
#AddHandler send-as-is asis
#
# For server-parsed imagemap files:
#
AddHandler imap-file map
AddHandler type-map var
AddOutputFilter INCLUDES .shtml
#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#
Alias /error/ "/var/www/error/"
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/hosts>
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options Indexes Includes FollowSymLinks
Allow from all
Order allow,deny
</Directory>
<Directory /var/www/icons>
Options Indexes MultiViews
Allow from all
Order allow,deny
</Directory>
<Directory /var/www/cgi-bin>
Options ExecCGI FollowSymLinks
AllowOverride None
Allow from all
Order allow,deny
</Directory>
<Directory /home/andrew/cgi-dev/iifac>
AllowOverride None
Options None
Allow from none
Order allow,deny
</Directory>
NameVirtualHost *
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /var/www/html
ServerName chloe
</VirtualHost>
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /home/hosts/iifac
ServerName iifac.loc
ServerAlias www.iifac.loc
<Directory /home/hosts/iifac>
Options FollowSymLinks
Allow from all
Order allow,deny
</Directory>
ScriptAlias /cgi-bin/ /home/hosts/iifac/cgi-bin/
<Directory /home/hosts/iifac/cgi-bin>
Options FollowSymLinks
Allow from all
Order allow,deny
</Directory>
</VirtualHost>
<VirtualHost *>
ServerAdmin andrew@azulmx.com
DocumentRoot /home/hosts/htw
ServerName haztuweb.loc
ServerAlias www.haztuweb.loc
ScriptAlias /cgi-bin/ /home/hosts/htw/cgi-bin/
<Directory /home/hosts/htw/cgi-bin>
Options ExecCGI FollowSymLinks
Allow from all
Order allow,deny
</Directory>
</VirtualHost>
LockFile "/var/lock/httpd.lock"
CoreDumpDirectory "/etc/httpd"
***************************************
(Hope nothing really embarrassing in there...)
Thanks again
Andrew Blake
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FollowSymLinks in 2.0
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 25 Mar 2004, Andrew Thomas Blake wrote:
> If I do a link to the same directory (cgi-bin) or the parent directory (also
> mentioned in a <Directory> section in httpd.conf) my cgi script works fine.
>
> But if I move the destination to a different directory (relinking of course),
> I then get:
> You don't have permission to access /cgi-bin/a.cgi on this server.
>
> Additionally, a 403 Forbidden error was encountered while trying to use an
> ErrorDocument to handle the request.
> Apache/2.0.40 Server at iifac.loc Port 80
> *******************************
>
> (I'm assuming that the note about the error document is irrelevant; I'll fix
> that later...)
Maybe, maybe not. You should see two error messages in the error log.
You might be getting confused about which error comes from where.
> and in the error log:
>
> *********************************
> [Thu Mar 25 19:00:06 2004] [error] [client 127.0.0.1] Symbolic link not
> allowed: /home/hosts/iifac/cgi-bin/a.cgi
> ********************************
Show us what the relvant part of your config looks like.
Also, you are using an ancient version of Apache 2.0. I don't know any
changes that would affect this particular problem, but it is in general
hard to debug a two-year-old version of the server.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FollowSymLinks in 2.0
Posted by Andrew Thomas Blake <an...@azulmx.com>.
On Thursday 25 March 2004 18:53, Joshua Slive wrote:
> On Thu, 25 Mar 2004, Andrew Thomas Blake wrote:
> > I had trouble with following symlinks in an upgrade from 1.3 to 2.0
> >
> > It seems that there's been a change in policy: as far as I can tell
> > Apache now only follows symlinks within the document tree, whereas before
> > it followed them anywhere.
>
> No, there has been no change.
>
> What does the error log say?
>
> Joshua.
>
Hi Joshua
If I do a link to the same directory (cgi-bin) or the parent directory (also
mentioned in a <Directory> section in httpd.conf) my cgi script works fine.
But if I move the destination to a different directory (relinking of course),
I then get:
******************************
Forbidden
You don't have permission to access /cgi-bin/a.cgi on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
Apache/2.0.40 Server at iifac.loc Port 80
*******************************
(I'm assuming that the note about the error document is irrelevant; I'll fix
that later...)
and in the error log:
*********************************
[Thu Mar 25 19:00:06 2004] [error] [client 127.0.0.1] Symbolic link not
allowed: /home/hosts/iifac/cgi-bin/a.cgi
********************************
Thanks for looking into this with me
Andrew Blake
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FollowSymLinks in 2.0
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 25 Mar 2004, Andrew Thomas Blake wrote:
> I had trouble with following symlinks in an upgrade from 1.3 to 2.0
>
> It seems that there's been a change in policy: as far as I can tell Apache now
> only follows symlinks within the document tree, whereas before it followed
> them anywhere.
No, there has been no change.
What does the error log say?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org