0

I have a VPS with CentOS and I'm facing a very strange behavior by Apache webserver.
I started this server with 50GB of disk space and soon I ran out of space so I asked maintenance department and they added another 50GB as a new hard drive. So I created a new partition and mounted it in /home/media and I moved all my website media files to this place and at the end I created an SymLink like this:

lrwxrwxrwx.  1 apache apache    12 May 15 14:07 media -> /home/media/

Today, I ran out of disk space once more and they did added a new hard drive with 100GB capacity this time. I just wanted to do the same as I did for /home/media/ but this time it's called /data/media.

lrwxrwxrwx.  1 apache pooya    12 Jun  9 22:43 media -> /data/media/

Now when I navigate to files in media folder in browser, I get Forbidden 403 error.

I checked Apache's error log and it says: Symbolic link not allowed or link target not accessible: /var/www/html/media.

All the solutions for this error on Internet is to add Options Indexes FollowSymLinks or webserver facing access problems with symliked directory.

I have the FollowSymLinks in both apache config file and my root .htaccess file. All the files and folders and also their parents in /data/media/ are chmodded to 777 and the chown of them is apache:apache.

What is wrong with my webserver?

Farid Rn
  • 195
  • 3
  • 13

1 Answers1

2

You should almost never need to have 777 permissions in your web tree.

You probably need to fix the SELinux permissions since /data/media isn't a standard location to store web files. You can quickly test this by temporarily disabling SELinux

setenforce 0

Run some tests and if the web files are now accessible SELinux is to blame. Reenable Linux

setenforce 1

then fix the problem 

semanage fcontext -a -t httpd_sys_content_t "/data/media(/.*)?"

followed by

restorecon -r -v /data/media

Now apache should be able to access the files.

The semanage utility is provided by the policycoreutils-python package so you can install it with

yum install policycoreutils-python
user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for your answer. I did typed `setenforce 0` but now I'm getting error 500 and apache log file says: **Premature end of script headers** – Farid Rn Jun 09 '13 at 20:06
  • @faridv: You have other problems too. – user9517 Jun 09 '13 at 20:13
  • Line what? I just created a new partition, mounted it to `/data/` and then copied media folder from `/home` to here. What should I do? It's a production website and now I'm stuck in a bad situation! – Farid Rn Jun 09 '13 at 20:15
  • When I type `ls -Z` in `/data/` folder I get `drwxrwxrwx. apache apache unconfined_u:object_r:file_t:s0 media`. I have no idea what does it mean. Can it help me finding the problem? – Farid Rn Jun 09 '13 at 20:18
  • 1
    @faridv: You have 2 problems. The first **Symbolic link not allowed or link target not accessible: /var/www/html/media** appears to be caused by SELinux and I've provided an answer to that question. The second **Premature end of script headers** is an entirely different problem and it's resolution is much more difficult to diagnose remotely and is more likely an application/programming error. – user9517 Jun 09 '13 at 20:23
  • ok, ok, ok. I gotta admit I've done anything that I could to make it work. I created an alias for `media` folder to see if the result is different from symlink and I think error 500 was because of my bad virtual-directory configuration. I removed this alias there's no more error 500. – Farid Rn Jun 09 '13 at 20:27
  • Now after typing `setenforce 0` it seems to work and as you said it should be cause by SELinux. but your solution does not seems to work because os cannot understand `semanage` command!? – Farid Rn Jun 09 '13 at 20:28
  • @faridv: You need to install semanage, it's in the policycoreutils-python package. See my update. – user9517 Jun 09 '13 at 20:34
  • Can you please explain what's the use of this command? and is `chcon -Rv --type=httpd_sys_content_t /data/media` similar to your solution? – Farid Rn Jun 09 '13 at 20:36
  • @faridv: https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html and https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html – user9517 Jun 09 '13 at 20:40