ACL and symbolic link problem

Question

I am setting up a nginx server. I create a user nginx for running the server. And I have some data in the home of another user, victor. I try to set the ACL to let the nginx read those data; here is what I did.

The location of data:

/home/victor/web/folder/folder2/folder3/data

I want to let nginx read those files, so that I create a folder

/home/victor/webshare/

And I set the ACL on victor folder

# file: victor
# owner: victor
# group: victor
user::rwx
user:nginx:--x
group::---
mask::--x
other::---

I don't want other stuff under victor folder be seen from nginx, so I set it as execute only. And I also set ACL on webshare

# file: webshare
# owner: victor
# group: victor
user::rwx
user:nginx:r-x
group::---
mask::--x
other::---

For now, I can ls the /home/victor/webshare/

[nginx@ home]#ls victor/webshare
hello  static

And for nginx to access the files in data, I create a static symbolic link.

ln -s /home/victor/web/folder/folder2/folder3/data static

I also set the ACL to let nginx to touch the data folder; however, it doesn't work.

[nginx@ home]#ls victor/webshare/static
ls: victor/webshare/static: Permission denied

Why can't the nginx account read from the static symbolic link? How can I expose the data to nginx without also exposing other important data?

Answer 1

To use a symbolic link to access a file, you need access permission on all the directories that the symbolic value passes through. So, you must ensure that nginx has access on:

/
/home
/home/victor
/home/victor/web
/home/victor/web/folder
/home/victor/web/folder/folder2
/home/victor/web/folder/folder2/folder3
/home/victor/web/folder/folder2/folder3/data

For the folders, search (x) permission is sufficient (as long as the software doesn't need to scan the list of files in the directory - it must know the file names). For the files that it must access, nginx must be able to read the files too, of course.