Bug 1212372

Summary: Symbolic link not allowed or link target not accessible
Product: [openSUSE] openSUSE Distribution Reporter: John Goutbeck <john.goutbeck>
Component: ApacheAssignee: E-mail List <apache-bugs>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: david.anes
Version: Leap 15.4   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Leap 15.4   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description John Goutbeck 2023-06-14 14:34:15 UTC 
New install
opensuse 15.4

LAMP webserver pattern
Apache/2.4.51 (Linux/SUSE)
the access_compat_module (shared) is loaded
using the default apache2 site of /srv/www/htdocs with no change to any .conf file - working

browser displays ‘It Works!’
then change to using a symbolic link

ln -s htdocs htd

host01:/srv/www # l
total 4
drwxr-xr-x 1 root root 32 Jun 12 13:31 ./
drwxr-xr-x 1 root root 6 Jun 8 11:08 …/
drwxr-xr-x 1 root root 0 Mar 15 2022 cgi-bin/
lrwxrwxrwx 1 root root 6 Jun 12 13:31 htd → htdocs/
drwxr-xr-x 1 root root 62 Jun 8 11:08 htdocs/

And change the apache2 default-server.conf

from
DocumentRoot “/srv/www/htdocs”

Configure the DocumentRoot
<Directory “/srv/www/htdocs”>
Options None
AllowOverride None
# Controls who can get stuff from this server.
<IfModule !mod_access_compat.c>
Require all granted


Order allow,deny
Allow from all

to
DocumentRoot “/srv/www/htd”

Configure the DocumentRoot
<Directory “/srv/www/htd”>
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
the browser gets a

Access forbidden!
You don’t have permission to access the requested directory. There is either no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.

Error 403

the apache error log states
[core:error] [pid 13442] [client 172.16.150.0:57093] AH00037: Symbolic link not allowed or link target not accessible: /srv/www/htd

no rights have changed - nothing changed exept the symbolc link & the document root directory

What is the issue? What to do to fix?

---
used the -SymLinksIfOwnerMatch option to override this behavior.

host01:/srv/www # l
total 4
drwxr-xr-x 1 root root 32 Jun 12 13:41 ./
drwxr-xr-x 1 root root 6 Jun 8 11:08 …/
drwxr-xr-x 1 root root 0 Mar 15 2022 cgi-bin/
lrwxrwxrwx 1 wwwrun www 6 Jun 12 13:31 htd → htdocs/
drwxr-xr-x 1 root root 62 Jun 8 11:08 htdocs/
host01:/srv/www # l htdocs/
total 12
drwxr-xr-x 1 root root 62 Jun 8 11:08 ./
drwxr-xr-x 1 root root 32 Jun 12 13:41 …/
-rwxr-xr-x 1 wwwrun www 302 Jul 23 2008 favicon.ico*
-rwxr-xr-x 1 wwwrun www 45 Jun 11 2007 index.html*
-rwxr-xr-x 1 wwwrun www 26 Mar 15 01:50 robots.txt*

DocumentRoot “/srv/www/htd”

<Directory “/srv/www/htd”>
Options +Indexes +FollowSymLinks -SymLinksIfOwnerMatch
Order allow,deny
Allow from all

Still the browser has Access forbidden!
and the error log has ‘AH00037: Symbolic link not allowed or link target not accessible: /srv/www/htd’

Any other suggestions?

---
What happens if you remove the symlink and just rename the htdocs directory to htd?

If that works, rename it back, and try creating a new directory called htd and put some files in it - see if that works.

rm htd
mv htdocs htd - browser displays ‘It works!’
mv htd htdocs
mkdir htd - browser displays ‘Index of’ - with no files listed
cp htdocs/* htd/ - browser displays ‘It works!’
rm -r htd
ln -s htdocs htd - browser displays ‘Access forbidden!’

This issue/bug has been in the Apache2 system for a long time.
Various fixes are presented on the web, but still does not work on a new simple  install.
Comment 1 John Goutbeck 2023-06-15 21:25:16 UTC 
With my test sym link directory htd, added this to the default-server.conf
---
# Make sure that symlink /srv/www does not make problems
<Directory /srv/www>
  Options +FollowSymlinks
</Directory>
---
and now the browser displays ‘It Works!’

So why does the directory of one above need to be in the conf?
Comment 2 David Anes 2024-07-01 15:41:18 UTC 
(In reply to John Goutbeck from comment #1)
> With my test sym link directory htd, added this to the default-server.conf
> ---
> # Make sure that symlink /srv/www does not make problems
> <Directory /srv/www>
>   Options +FollowSymlinks
> </Directory>
> ---
> and now the browser displays ‘It Works!’
> 
> So why does the directory of one above need to be in the conf?

Because 'htd' is within '/srv/www' and because default configuration is NOT to follow symlinks, then 'htd' is not accessible.

By setting the parent path '/srv/www' with FollowSymlinks, then 'htd' is reachable. This is clearly stated in the documentation:

https://httpd.apache.org/docs/2.4/mod/core.html#directory

> Enclose a group of directives that apply only 
> to the named file-system directory, sub-directories, and their contents.

I'm closing this one as invalid, but feel free to reopen if you find any other issue.