1

I am transferring some hosting accounts from CentOS 6 with Apache 2.2 to CentOS 7 with Apache 2.4.34. Some of these accounts symlink to files through a directory symlink inside the DocumentRoot to files outside the DocumentRoot.

Like this:

root:root /var/lib/common/html/
user:user /home/user/app/           => /var/lib/common/html/
user:user /home/user/html/file.html => /home/user/app/file.html

It works on Apache 2.2. On Apache 2.4 I get a 403 permission denied response. I can find no evidence that SymLinkIfOwnerMatch is set, only FollowSymLinks via grepping the config files. The 403 error goes away if I set the /home/user/html/file.html ownership to root:root. (Note that the "middleman" directory symlink ownership does not matter. Apache will follow it either way.)

Are there situations where Apache 2.4 will always require the symlink ownership to match? It seems that direct access, mod_rewrite, and even Alias are enforcing ownership matching and I cannot figure out why.

jimp
  • 638
  • 3
  • 11
  • 20

1 Answers1

1

I figured it out. The control panel I'm using provides a release of Apache with additional patches, and it also includes a harden-symlinks.patch file (source). The patch suggests an Apache UnhardenSymLinks option is available, but when I tried it apachectl errors with Option UnhardenedSymLinks not allowed here. I have tried it inside and outside the VirtualHost, inside a Directory, but it doesn't pass the config test anywhere.

After a little research, it looks like that patch is popular with most of the common hosting control panels. If you are using one, you are most likely using SymLinksIfOwnerMatch even if you specify FollowSymLinks in your config.

jimp
  • 638
  • 3
  • 11
  • 20