I am transferring some hosting accounts from CentOS 6 with Apache 2.2 to CentOS 7 with Apache 2.4.34. Some of these accounts symlink to files through a directory symlink inside the DocumentRoot to files outside the DocumentRoot.
Like this:
root:root /var/lib/common/html/
user:user /home/user/app/ => /var/lib/common/html/
user:user /home/user/html/file.html => /home/user/app/file.html
It works on Apache 2.2. On Apache 2.4 I get a 403 permission denied response. I can find no evidence that SymLinkIfOwnerMatch
is set, only FollowSymLinks
via grepping the config files. The 403 error goes away if I set the /home/user/html/file.html
ownership to root:root
. (Note that the "middleman" directory symlink ownership does not matter. Apache will follow it either way.)
Are there situations where Apache 2.4 will always require the symlink ownership to match? It seems that direct access, mod_rewrite, and even Alias are enforcing ownership matching and I cannot figure out why.
I figured it out. The control panel I'm using provides a release of Apache with additional patches, and it also includes a
harden-symlinks.patch
file (source). The patch suggests an ApacheUnhardenSymLinks
option is available, but when I tried it apachectl errors withOption UnhardenedSymLinks not allowed here
. I have tried it inside and outside the VirtualHost, inside a Directory, but it doesn't pass the config test anywhere.After a little research, it looks like that patch is popular with most of the common hosting control panels. If you are using one, you are most likely using
SymLinksIfOwnerMatch
even if you specifyFollowSymLinks
in your config.