the actual link permissions aren't used for anything - What about Ownership?

Question

After months of intermittent attempts to discover what was causing these Forbidden errors I've discovered evidence that strongly suggests Apache2 uses the actual link's ownership and group.

I have a VPS running ubuntu 14.04
I have apache2 setup and running.

My default document root is /var/www/html

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
<Directory />
        Options FollowSymLinks
        AllowOverride None
</Directory>

The document root's full hierarchy of permissions are:

drwxr-xr-x 21 root     root     4096 Jun 10  2014 /
drwxr-xr-x 13 root     root     4096 Sep  7  2014 /var
drwxrwxr-x 13 www-data www-data 4096 Nov 15 15:25 /var/www
drwxr-xr-x  2 jesse    jesse    4096 Nov 15 15:25 /var/www/html

I have symlinked /var/www under my home directory.

lrwxrwxrwx 1 jesse jesse 9 Sep  8  2014 /home/jesse/www -> /var/www/

Now because I have several versions of the site I'm working on I like to keep all the sites in /var/www and then symlink to the correct production version in /var/www/html

root@vpn:/home/jesse# ls -l /var/www/html/
total 4
lrwxrwxrwx 1 jesse   jesse     16 Sep 29  2014 storytellingaustralia -> ../joomla_3.3.4/
lrwxrwxrwx 1 jesse   jesse     17 Oct  4  2014 tealeaftroubadours -> ../wordpress_4.0/
lrwxrwxrwx 1 jesse   jesse     17 Oct  5  2014 tealeaftroubadours.com.au -> ../wordpress_4.0/
lrwxrwxrwx 1 wp-user wp-user   8 Nov 15 15:25 test -> ../test/
lrwxrwxrwx 1 jesse   jesse     19 Jun  9 20:36 wa.storyguild.org.au -> ../wordpress_4.2.2/
lrwxrwxrwx 1 jesse   jesse     19 Nov 15 13:32 windwanderer.com.au -> ../wordpress_4.3.1/

Now Here Is The Anomoly

The permissions are currently set as follows and the site is accessible as expected.

root@vpn:/home/jesse/www/html# ls -l test
lrwxrwxrwx 1 wp-user wp-user 8 Nov 15 15:25 test -> ../test/

root@vpn:/home/jesse/www/html# ls -lLd test
drwxr-x--- 2 wp-user www-data 4096 Nov 15 15:24 test

However, If I then change the ownership of the link it's self apache2 serves me a "Forbidden" notice.

root@vpn:/home/jesse/www/html# chown -h www-data test

root@vpn:/home/jesse/www/html# ls -l test
lrwxrwxrwx 1 www-data wp-user 8 Nov 15 15:25 test -> ../test/

root@vpn:/home/jesse/www/html# ls -lLd test
drwxr-x--- 2 wp-user www-data 4096 Nov 15 15:24 test

Forbidden

You don't have permission to access /test/index.html on this server.

If I then change the ownership of the target to be the same

root@vpn:/home/jesse/www/html# chown www-data test

root@vpn:/home/jesse/www/html# ls -l test
lrwxrwxrwx 1 www-data wp-user 8 Nov 15 15:25 test -> ../test/

root@vpn:/home/jesse/www/html# ls -lLd test
drwxr-x--- 2 www-data www-data 4096 Nov 15 15:24 test

The site is accessible once more.

It seems that Apache2 requires links to be owned by the same user as owns the target.

Does anyone know if there is a setting that controls this behaviour or can shed any light on how, why or what this behaviour is for? All I can think of is that it was someone's bright idea for added security but has sure caused me a lot of headaches.

You forgot to look at the error log. – Michael Hampton Nov 15 '15 at 09:35 — Michael Hampton, Nov 15 '15 at 09:35

score 0 · Accepted Answer · answered Nov 15 '15 at 09:52

0

The SymlinksIfOwnerMatch option gives exactly the behaviour you describe only following links if ownership matches.

answered Nov 15 '15 at 09:52

Paul Haldane

4,517
1
21
32

Thank you very much Paul. My apologies for taking so long to come back here and see your fabulous answer. It's much appreciated. :-) – Jesse the Wind Wanderer Jun 19 '18 at 12:58

the actual link permissions aren't used for anything - What about Ownership?

1 Answers1