Opened 12 years ago
Closed 12 years ago
#399 closed defect (invalid)
disable_symlinks return always 403
| Reported by: | Janowski Marcin | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | disable_symlinks | Cc: | |
| uname -a: | Linux web 3.10.4-grsec-sored-domu #22 SMP Thu Aug 22 12:12:33 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.4.1
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module |
||
Description
Hello, i writing about wrong working disable_symlinks. So, before enable this all www pages works good, but after enable (with options on or if_not_owner, with form= and without) i have 403 error, and in logs:
2013/08/22 19:44:37 [error] 2277#0: *1 open() "/home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html" failed (13: Permission denied), client: 77.255.238.208, server: cokolwiek.redcraft.pl, request: "GET /test.html HTTP/1.1", host: "cokolwiek.redcraft.pl"
This is directory structure:
root@web:~# namei -l /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html f: /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html drwx--x--x root root / drwx--x--x root root home drwx--x--- wmp wmp wmp drwxr-xr-x root root www drwxr-xr-x root root cokolwiek.redcraft.pl drwxrwxr-x root wmp htdocs -rw-rw-r-- wmp wmp test.html root@web:~# getfacl /home/wmp getfacl: Removing leading '/' from absolute path names # file: home/wmp # owner: wmp # group: wmp user::rwx user:www-data:--x group::--x mask::--x other::--- root@web:~#
And this is nginx configure:
root@web:~# cat /etc/nginx/nginx.conf
user www-data;
worker_processes 8;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
# disable_symlinks on;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# error_log /var/log/nginx/debug.log debug;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
root@web:~# cat /etc/nginx/sites-enabled/test-chujwiejaka.redcraft.pl
server {
server_name chujwiejaka.redcraft.pl;
access_log /home/test/www/chujwiejaka.redcraft.pl/logs/access.log;
error_log /home/test/www/chujwiejaka.redcraft.pl/logs/error.log;
root /home/test/www/chujwiejaka.redcraft.pl/htdocs;
index index.php index.html;
autoindex on;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/nginx/wmp.php-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
root@web:~# cat /etc/nginx/sites-enabled/wmp-cokolwiek.redcraft.pl
server {
server_name cokolwiek.redcraft.pl;
access_log /home/wmp/www/cokolwiek.redcraft.pl/logs/access.log;
error_log /home/wmp/www/cokolwiek.redcraft.pl/logs/error.log;
root /home/wmp/www/cokolwiek.redcraft.pl/htdocs;
index index.php index.html;
autoindex on;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/nginx/wmp.php-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
root@web:~# cat /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
}
root@web:~#
On /home i havent any symlinks:
root@web:~# find /home -type l root@web:~#
and /home is mounted with this options:
/dev/xvda4 on /home type ext4 (rw,noexec,nosuid,nodev,acl)
Ngins working this same with enabled acl, and without acl entry in /home/wmp, chmod 711 /home/wmp and /home mounted withour acl option. This is debug with enable disable_symlinks:
2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:12 op:1 ev:00000001 2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:13 op:1 ev:00000001 2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0 2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000070A4B0:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 accept: 77.255.238.208 fd:22 2013/08/22 19:32:49 [debug] 2672#0: *1 event timer add: 22: 60000:1377192829772 2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 1 2013/08/22 19:32:49 [debug] 2672#0: *1 epoll add event: fd:22 op:1 ev:80000001 2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0 2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000073EF50:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *2 accept: 77.255.238.208 fd:23 2013/08/22 19:32:49 [debug] 2672#0: *2 event timer add: 23: 60000:1377192829773 2013/08/22 19:32:49 [debug] 2672#0: *2 reusable connection: 1 2013/08/22 19:32:49 [debug] 2672#0: *2 epoll add event: fd:23 op:1 ev:80000001 2013/08/22 19:32:49 [debug] 2672#0: *1 post event 000000000076CF98 2013/08/22 19:32:49 [debug] 2672#0: *1 delete posted event 000000000076CF98 2013/08/22 19:32:49 [debug] 2672#0: *1 http wait request handler 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 000000000073F060:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 malloc: 0000000000717DC0:1024 2013/08/22 19:32:49 [debug] 2672#0: *1 recv: fd:22 387 of 1024 2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 0 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 00000000007181D0:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line 2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /test.html HTTP/1.1" 2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/test.html" 2013/08/22 19:32:49 [debug] 2672#0: *1 http args: "" 2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "html" 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line 2013/08/22 19:32:49 [debug] 2672#0: *1 event timer del: 22: 1377192834777 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line 2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /favicon.ico HTTP/1.1" 2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/favicon.ico" 2013/08/22 19:32:49 [debug] 2672#0: *1 http args: "" 2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "ico" 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line 2013/08/22 19:32:59 [debug] 2672#0: *2 post event 000000000076D000 2013/08/22 19:32:59 [debug] 2672#0: *2 delete posted event 000000000076D000 2013/08/22 19:32:59 [debug] 2672#0: *2 http wait request handler 2013/08/22 19:32:59 [debug] 2672#0: *2 posix_memalign: 000000000073F170:256 @16 2013/08/22 19:32:59 [debug] 2672#0: *2 malloc: 0000000000717DC0:1024 2013/08/22 19:32:59 [debug] 2672#0: *2 recv: fd:23 0 of 1024 2013/08/22 19:32:59 [info] 2672#0: *2 client closed connection while waiting for request, client: 77.255.238.208, server: 0.0.0.0:80 2013/08/22 19:32:59 [debug] 2672#0: *2 close http connection: 23 2013/08/22 19:32:59 [debug] 2672#0: *2 event timer del: 23: 1377192829773 2013/08/22 19:32:59 [debug] 2672#0: *2 reusable connection: 0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 0000000000717DC0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073EF50, unused: 0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073F170, unused: 128
Server works on Ubuntu Server 12.04.
Note:
See TracTickets
for help on using tickets.
Quoting http://nginx.org/r/disable_symlinks: