English
Ask Your Question
1

Apache 'Symbolic link not allowed' error on Fedora 25

asked 2017-06-13 16:29:45 +0000

ferdn4ndo gravatar image

updated 2017-06-14 23:53:37 +0000

sergiomb gravatar image

Hello,

I got stuck on 'Symbolic link not allowed or link target not accessible' error and after a whole morning trying to fix it, still nothing. So, here I am.

So, server is running (Fedora Test Page opens with localhost on browser). And this is my ll for /var/www/html:

[root@unknown74e543af57bc html]# ll
total 4
-rw-r--r--. 1 root root 20 jun 13 11:49 test.php
lrwxrwxrwx. 1 root root 19 jun 13 11:40 web -> /home/fernando/html

As well, when I navigate to localhost/test.php the file is executed and I get my Hello World test.

However, when I try to access localhost/web, it leads me 403 error page. And this is my ll for /home/fernando/html:

[root@unknown74e543af57bc html]# ll /home/fernando/html  
total 12
-rwxr-xr-x.  1 fernando www-data    2 jun 13 11:13 index.html
drwxr-xr-x. 11 fernando fernando 4096 jun 13 11:34 testsite.com
-rwxr-xr-x.  1 fernando www-data   31 jun 13 11:10 test.php

And, inside /etc/httpd/conf/httpd.conf:

<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride All
    Require all granted
</Directory>

And in /var/log/httpd/error_log:

[Tue Jun 13 13:08:50.222612 2017] [core:error] [pid 8860] [client ::1:57328] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/web

Any ideas? Thanks, Fernando

edit retag flag offensive close merge delete

4 answers

Sort by » oldest newest most voted
2

answered 2017-06-16 14:58:22 +0000

muep gravatar image

As an alternative to adjusting SELinux so that httpd is allowed to read the home directories, I would often prefer just making placing the web content under /var/www so that the SELinux policy permits access out of the box. The content can still be chowned for the user who is managing it, and httpd should be able to read it as long as it has the necessary read permissions.

Keeping the default SELinux setup has a security advantage, because it gives you an extra mechanism for ensuring that buggy web code can not unexpectedly give out e.g. ssh keys or other sensitive data from your home directory.

edit flag offensive delete link more

Comments

Plus, you don’t need to maintain and micromanage SELinux policies. That alone is reason enough to stick with the defaults. However, the user has the options to adjust the policies to fit their needs.

Aeyoun ( 2017-06-16 15:29:14 +0000 )edit

how someone could read ssh keys with 711 permissions on home ? /home/user/.ssh permissions are 700 selinux give us extras problems not extra security

sergiomb ( 2017-06-16 18:07:08 +0000 )edit
1

answered 2017-06-16 00:36:00 +0000

Is the destination labelled as a directory readable by Apache? Otherwise SELinux will block Apache from reading outside its default directories.

To identify the label run ls -laZ /your/folder. It should read httpd_sys_content_t to be readable by Apache. If it’s not then you need to change the label, which you can do with the following command: chcon -R -t httpd_sys_content_t /your/folder.

You specifically want to read from inside home directory as well? This is generally considered insecure because of the increeased risk of exposing private files. You’ll need to enable the following command/option as well setsebool -P httpd_enable_homedirs 1.

edit flag offensive delete link more
-1

answered 2017-06-13 20:15:50 +0000

sergiomb gravatar image

updated 2017-06-14 00:29:55 +0000

ll -d /home/ferndo/ must have execution permissions

chmod 711 /home/fernando/

and ?
chmod 755 /home/fernando/html

for /home/fernando/html maybe 755 is better than 711 because here you need read permission I guess.

edit flag offensive delete link more

Comments

ll -d /home/:

drwx--x--x. 18 fernando fernando 4096 jun 13 18:11 /home/fernando/

And still getting 403 for every file inside /localhost/web that exists on /home/fernando/html

ferdn4ndo ( 2017-06-13 21:25:24 +0000 )edit

Is the symbolic link supposed to point to html or htmltotal?

villykruse ( 2017-06-14 12:41:35 +0000 )edit
-1

answered 2017-06-14 20:48:36 +0000

capt gravatar image

Use the allow localhost in the .conf . Allow 127.0.0.1 as suggested, 127.0.0.1 at line 13 and 34.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

Stats

Asked: 2017-06-13 16:29:45 +0000

Seen: 71 times

Last updated: Jun 16