“Symbolic link not allowed or link target not accessible” / Apache on CentOS 6

by

I’ve got a brand new CentOS 6 installation, which has a symlink in the document root to my development files:

[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f88a97978cb894979b999490978b8c">[email protected]</a> html]# ls -l
total 4
-rwxrwxrwx. 1 root root  0 Sep 18 20:16 index.html
-rwxrwxrwx. 1 root root 17 Sep 18 20:16 index.php
lrwxrwxrwx. 1 root root 24 Sep 18 20:19 refresh-app -> /home/billy/refresh-app/

My httpd.conf has this:

<Directory "/">
    Options All
    AllowOverride None
    Order allow,deny
    Allow from all
</directory>

The target of the symbolic link has permissions which should allow apache to read anything it wants:

 [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e694898992a68a8985878a8e899592">[email protected]</a> billy]# ls -l
total 40 (Some entries were omitted because the list was too long
drwxr-xr-x. 7 billy billy 4096 Sep 18 20:03 refresh-app

I’ve also tried disabling SELinux by changing /etc/selinux/conf:

SELINUX=disabled

Yet no matter what I do, when someone tries to go to that link, http://localhost/refresh-app/, I get a 403 FORBIDDEN error page and this is written in the /var/log/httpd/error_log:

Symbolic link not allowed or link target not accessible

Why can’t Apache access the target of the symlink?

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5
Method 6
Method 7
Method 8
Method 9
Method 10
Method 11
Method 12

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Found the issue. Turns out, Apache wants access to not just the directory I’m serving, /home/billy/refresh-app/, but also every directory above that, namely /home/billy/, /home, and /. (I have no idea why… giving someone access to a subdirectory shouldn’t require giving away permissions to everything above that subdirectory….)

I would guess it’s looking for .htaccess or something, or perhaps *nix being strange about how it treats permissions for directory transversal.

Method 2

I had a similar problem where I had the following configuration which used to work with Ubuntu 10, but stopped working with Ubuntu 14 (Apache 2.4):

<Directory /var/www/vhosts/example.com/httpdocs>
    Options +FollowSymLinks
</Directory>

Switching to this sorted the problem (even though the web server user wasn’t able to directly access the symlink)

<Directory /var/www/vhosts/example.com/httpdocs>
    Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch
</Directory>

From what I can tell its just the -SymLinksIfOwnerMatch setting and has something to do with changes in Apache 2.4 but I haven’t tried researching the exact cause.

I also thought it could be down to openbase_dir restrictions in PHP but it wasn’t that.

Method 3

This error can also be caused if you are linking to an encrypted folder.

Method 4

It appears “FollowSymLinks” is the option you need in httpd.conf. It is detailed here. Looks like you might need a rule in htdocs too…but it’s the option you need.

Method 5

You may also want to check if selinux is enforced or not.
On RedHat/Fedora, execute this:

getenforce

If the response is ‘Enforcing’, you may want to execute

setenforce 0

and try the url again in your browser.

Note that I am not saying that disabling selinux is the best way to solve this problem, but it may help to identify the cause.

Method 6

The simplest solution for me was to create a .htaccess file in the root of my site with this code:

Options +ExecCGI +FollowSymlinks -SymLinksIfOwnerMatch

Method 7

Options +FollowSymLinks

Create a .htaccess file with this did the trick for me (put it in a dir before the symlink).

Method 8

@Billey ONeil @Flion
I couldnt answer in line (low rep count)
Here was I had to do:
(note: alias ll=’ls $LS_OPTIONS -lh’)

<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3d4f5252497d7f5851515c5e55">[email protected]</a>:/var/www/html# ll lego
lrwxrwxrwx 1 root root 43 Sep 10 21:21 lego -> /home/DATA/Documents/Chris/Synced/web/lego/

Now look at every directory in the source link

<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cebca1a1ba8e8caba2a2afada6">[email protected]</a>:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/web/
drwxr-xr-x 9 chris chris 4.0K Sep 12  2017 /home/DATA/Documents/Chris/Synced/web/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="82f0ededf6c2c0e7eeeee3e1ea">[email protected]</a>:/var/www/html# ll -d /home/DATA/Documents/Chris/Synced/
drwxr-xr-x 20 chris chris 4.0K Mar 27 18:52 /home/DATA/Documents/Chris/Synced/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5d2f3232291d1f3831313c3e35">[email protected]</a>:/var/www/html# ll -d /home/DATA/Documents/Chris/
drwxr-xr-x 36 chris chris 4.0K Jun 17 23:31 /home/DATA/Documents/Chris/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="36445959427674535a5a57555e">[email protected]</a>:/var/www/html# ll -d /home/DATA/Documents/
drwxr-xr-x 21 chris chris 4.0K Aug  7 18:22 /home/DATA/Documents/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e4968b8b90a4a681888885878c">[email protected]</a>:/var/www/html# ll -d /home/DATA/
drwxrwxr-- 10 root users 4.0K Sep 10 11:17 /home/DATA/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c7b5a8a8b38785a2ababa6a4af">[email protected]</a>:/var/www/html# ll -d /home/
drwxr-xr-x 5 root root 4.0K Sep 10 10:37 /home/

/home/DATA directory is the culprit.
Fix it with this:

<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="83f1ececf7c3c1e6efefe2e0eb">[email protected]</a>:/var/www/html# chmod +x /home/DATA/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3c4e5353487c7e5950505d5f54">[email protected]</a>:/var/www/html# ll -d /home/DATA/
drwxrwxr-x 10 root users 4.0K Sep 10 11:17 /home/DATA/

The fix is immediate – no need to restart apache.

Method 9

that what solve my problem after allow all permission and allow followsymlink

In the case of FollowSymLinks specifically it MUST be inside a Directory structure when within a .conf file. From the Apache current manual

The FollowSymLinks and SymLinksIfOwnerMatch Options work only in
sections or .htaccess files.

answer from here

Method 10

My solution was to create a shared folder for all repositories named /home/repo.

Then symlink from my own home like:
ln -s /home/repo ~/Code
so ~/Code/www.xxxx.com/public
points to
/home/repo/www.xxxx.com/public

and also a link into apache web root
/var/www/html
points to
/home/repo/www.xxxx.com/public

Found it here:
https://github.com/alghanmi/ubuntu-desktop_setup/wiki/Git-Local-Repository-Setup-Guide

With some symlink+user groups acrobacy you can have multiple users/versions deployed.

Method 11

In addition to the answer by @BillyONeal this same error can occur if the the symbolic link has a different owner/group than the target folder.

For example, this folder setup will generate the Symbolic link not allowed or link target not accessible error:

[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="176578786357766767">[email protected]</a> mobile]# ls -l
total 8
lrwxrwxrwx   1 random    nobody    6      Oct 26 16:27 binary -> bundle
drwxrwxr-x+ 10 app       app       4096   Oct 26 16:26 bundle
drwxrwxr-x+  4 app       app       4096   Oct  5  2019 download
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4e3c21213a0e2f3e3e">[email protected]</a> mobile]#

However, this folder setup works fine:

[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f98b96968db9988989">[email protected]</a> mobile]# ls -l
total 8
lrwxrwxrwx   1 app       app       6      Oct 26 16:27 binary -> bundle
drwxrwxr-x+ 10 app       app       4096   Oct 26 16:26 bundle
drwxrwxr-x+  4 app       app       4096   Oct  5  2019 download
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e6c71716a5e7f6e6e">[email protected]</a> mobile]#

Method 12

You might also adjust your SELinux settings, and setenforce may not be on your path. So try this:

sudo /usr/sbin/setenforce 0

and to make this persist between reboots

sudo vi /etc/sysconfig/selinux


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x