views:

409

answers:

1

I am on a shared hosting package on a LAMP stack with no shell access.

I can create symlinks using PHP's symlink() function.

Let's say my web root is /home/www/user1/public

Let's say I have a real directory named /home/www/user1/public/real_dir

And I create a symlink named /home/www/user1/public/fake_dir pointing to real_dir

Why would I get a 403 Forbidden when trying to access www.mydomain.com/fake_dir but not when trying to access www.mydomain.com/real_dir?

It shouldn't be a rights problem because when I create a file in PHP, I can access that all right.

I tried switching FollowSymlinks off and on in .htaccess (it was on), but no luck.

Could it be that FollowSymlinks is defined as not overwritable in a .htaccess file? Or is there something else to be aware of when working with Symlinks in Apache?

A: 

Apache has to be configured to allow access to the directory on the filesystem. This has to be done by a system administrator by inserting a <Directory> directive in the apache configuration files (httpd.conf).

Since the real directory is inside the web root it must be accessible, but FollowSymLinks may not have been enabled for the directory - this also has to be added to the <Directory> directive.

See http://httpd.apache.org/docs/2.0/mod/core.html#directory

sea36
So if it's not configured that way, and `FollowSymlinks` is off, trying to access a symlink (even though the target is also in the web root) will raise a 403? Is this the reason?
Pekka
Sorry, I just re-read your question and saw that the real directory is in the web root, so it will be accessible, however FollowSymLinks may not be enabled. I've updated my answer to reflect this.
sea36
-1 This is still not an answer to OP's question. OP seems perfectly aware of the `FollowSymlinks` option. But he asks whether setting this from `.htaccess` can be overruled from httpd.conf.
fireeyedboy
My answer says that FollowSymLinks must be enabled for a directory using the <Directory> directive in the httpd.conf file.
sea36
Does anybody know a way to tell whether FollowSymlinks is enabled without access to the apache configuration?
Pekka
@Pekka: Yes, if you are able to rewrite urls in .htaccess (with mod_rewrite rules) this should tell you that `FollowSymlinks` works.
fireeyedboy
Ahh, interesting. In that case, FollowSymlinks is on, I can rewrite using mod_rewrite. (To preempt the obvious next question, I can't use mod_rewrite in the current context because my *ultimate* goal is to symlink to a directory outside the web root.)
Pekka
@sea36: Setting the `FollowSymLinks` directive from within `.htaccess` is usually perfectly legal. Therefor your answer is still not an answer to OP's his question.
fireeyedboy
I'm just seeing that the symlink's owner is PHP, but the target's is the web server. Maybe that causes the funny behaviour. I'll try to chown from within my PHP script.
Pekka
@Pekka: Whether this is actually even possible or not (I don't know really)... but, are you sure you even want to do this?! This basically defeats the purpose of hiding directories from the root and could be considered a huge security issue IMHO. Heck, you might as well put the directory in the root then anyway, no?
fireeyedboy
@fireeyedboy I am deploying a web app to the web root from a svn checkout. I have three or four separate applications (documentation, tests, tools) that I want to keep out of the way of the central web app, but as I want everything under the same domain, I would like to have them there as symlinks. It's not really *necessary* - I could just move the apps into the web root as you say - but it would make for a nice, clean structure. It's o.k. security wise because the directories I symlink to are safe for public use.
Pekka
Aargh, due to the safe mode I can't even change the owner of my symlink. I think I am going to put the directories into the web root for now. Thanks for your time everyone.
Pekka
@fireeyedboy FollowSymLinks may have been disabled for the directory in the apache configuration files. If this is the case then the declaration in .htaccess will be ignored unless the apache configuration also sets an appropriate AllowOverride directive.
sea36