Opened 7 years ago

Closed 7 years ago

#399 closed defect (invalid)

disable_symlinks return always 403

Reported by: Janowski Marcin Owned by:
Priority: major Milestone:
Component: nginx-core Version:
Keywords: disable_symlinks Cc:
uname -a: Linux web 3.10.4-grsec-sored-domu #22 SMP Thu Aug 22 12:12:33 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module

Description

Hello, i writing about wrong working disable_symlinks. So, before enable this all www pages works good, but after enable (with options on or if_not_owner, with form= and without) i have 403 error, and in logs:

2013/08/22 19:44:37 [error] 2277#0: *1 open() "/home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html" failed (13: Permission denied), client: 77.255.238.208, server: cokolwiek.redcraft.pl, request: "GET /test.html HTTP/1.1", host: "cokolwiek.redcraft.pl"

This is directory structure:

root@web:~# namei -l /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html
f: /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html
drwx--x--x root root /
drwx--x--x root root home
drwx--x--- wmp  wmp  wmp
drwxr-xr-x root root www
drwxr-xr-x root root cokolwiek.redcraft.pl
drwxrwxr-x root wmp  htdocs
-rw-rw-r-- wmp  wmp  test.html
root@web:~# getfacl /home/wmp
getfacl: Removing leading '/' from absolute path names
# file: home/wmp
# owner: wmp
# group: wmp
user::rwx
user:www-data:--x
group::--x
mask::--x
other::---

root@web:~#

And this is nginx configure:

root@web:~# cat /etc/nginx/nginx.conf 
user www-data;
worker_processes 8;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
#       disable_symlinks on;
        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
#       error_log /var/log/nginx/debug.log debug;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # nginx-naxsi config
        ##
        # Uncomment it if you installed nginx-naxsi
        ##

        #include /etc/nginx/naxsi_core.rules;

        ##
        # nginx-passenger config
        ##
        # Uncomment it if you installed nginx-passenger
        ##

        #passenger_root /usr;
        #passenger_ruby /usr/bin/ruby;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
root@web:~# cat /etc/nginx/sites-enabled/test-chujwiejaka.redcraft.pl 
server {

        server_name chujwiejaka.redcraft.pl;

        access_log  /home/test/www/chujwiejaka.redcraft.pl/logs/access.log;
        error_log   /home/test/www/chujwiejaka.redcraft.pl/logs/error.log;

        root /home/test/www/chujwiejaka.redcraft.pl/htdocs;
        index index.php index.html;
        autoindex on;

        location ~ \.php$ {
                include /etc/nginx/fastcgi_params;
                fastcgi_index index.php;
                fastcgi_pass   unix:/var/run/nginx/wmp.php-fpm.socket;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
}
root@web:~# cat /etc/nginx/sites-enabled/wmp-cokolwiek.redcraft.pl 
server {

        server_name cokolwiek.redcraft.pl;

        access_log  /home/wmp/www/cokolwiek.redcraft.pl/logs/access.log;
        error_log   /home/wmp/www/cokolwiek.redcraft.pl/logs/error.log;

        root /home/wmp/www/cokolwiek.redcraft.pl/htdocs;
        index index.php index.html;
        autoindex on;

        location ~ \.php$ {
                include /etc/nginx/fastcgi_params;
                fastcgi_index index.php;
                fastcgi_pass   unix:/var/run/nginx/wmp.php-fpm.socket;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
}
root@web:~# cat /etc/nginx/sites-enabled/default 

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.html index.htm;

        # Make site accessible from http://localhost/
        server_name localhost;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ /index.html;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        location /doc/ {
                alias /usr/share/doc/;
                autoindex on;
                allow 127.0.0.1;
                allow ::1;
                deny all;
        }

}
root@web:~#

On /home i havent any symlinks:

root@web:~# find /home -type l
root@web:~#

and /home is mounted with this options:

/dev/xvda4 on /home type ext4 (rw,noexec,nosuid,nodev,acl)

Ngins working this same with enabled acl, and without acl entry in /home/wmp, chmod 711 /home/wmp and /home mounted withour acl option. This is debug with enable disable_symlinks:

2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:12 op:1 ev:00000001
2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:13 op:1 ev:00000001
2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60
2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60
2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0
2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000070A4B0:256 @16
2013/08/22 19:32:49 [debug] 2672#0: *1 accept: 77.255.238.208 fd:22
2013/08/22 19:32:49 [debug] 2672#0: *1 event timer add: 22: 60000:1377192829772
2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 1
2013/08/22 19:32:49 [debug] 2672#0: *1 epoll add event: fd:22 op:1 ev:80000001
2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60
2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60
2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0
2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000073EF50:256 @16
2013/08/22 19:32:49 [debug] 2672#0: *2 accept: 77.255.238.208 fd:23
2013/08/22 19:32:49 [debug] 2672#0: *2 event timer add: 23: 60000:1377192829773
2013/08/22 19:32:49 [debug] 2672#0: *2 reusable connection: 1
2013/08/22 19:32:49 [debug] 2672#0: *2 epoll add event: fd:23 op:1 ev:80000001
2013/08/22 19:32:49 [debug] 2672#0: *1 post event 000000000076CF98
2013/08/22 19:32:49 [debug] 2672#0: *1 delete posted event 000000000076CF98
2013/08/22 19:32:49 [debug] 2672#0: *1 http wait request handler
2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 000000000073F060:256 @16
2013/08/22 19:32:49 [debug] 2672#0: *1 malloc: 0000000000717DC0:1024
2013/08/22 19:32:49 [debug] 2672#0: *1 recv: fd:22 387 of 1024
2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 0
2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 00000000007181D0:4096 @16
2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line
2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /test.html HTTP/1.1"
2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/test.html"
2013/08/22 19:32:49 [debug] 2672#0: *1 http args: ""
2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "html"
2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16
2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line
2013/08/22 19:32:49 [debug] 2672#0: *1 event timer del: 22: 1377192834777
2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line
2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /favicon.ico HTTP/1.1"
2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/favicon.ico"
2013/08/22 19:32:49 [debug] 2672#0: *1 http args: ""
2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "ico"
2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16
2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line
2013/08/22 19:32:59 [debug] 2672#0: *2 post event 000000000076D000
2013/08/22 19:32:59 [debug] 2672#0: *2 delete posted event 000000000076D000
2013/08/22 19:32:59 [debug] 2672#0: *2 http wait request handler
2013/08/22 19:32:59 [debug] 2672#0: *2 posix_memalign: 000000000073F170:256 @16
2013/08/22 19:32:59 [debug] 2672#0: *2 malloc: 0000000000717DC0:1024
2013/08/22 19:32:59 [debug] 2672#0: *2 recv: fd:23 0 of 1024
2013/08/22 19:32:59 [info] 2672#0: *2 client closed connection while waiting for request, client: 77.255.238.208, server: 0.0.0.0:80
2013/08/22 19:32:59 [debug] 2672#0: *2 close http connection: 23
2013/08/22 19:32:59 [debug] 2672#0: *2 event timer del: 23: 1377192829773
2013/08/22 19:32:59 [debug] 2672#0: *2 reusable connection: 0
2013/08/22 19:32:59 [debug] 2672#0: *2 free: 0000000000717DC0
2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073EF50, unused: 0
2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073F170, unused: 128

Server works on Ubuntu Server 12.04.

Change History (1)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Quoting http://nginx.org/r/disable_symlinks:

On systems that do not support opening of directories only for search, to use these parameters
it is required that worker processes have read permissions for all directories being checked.

Note: See TracTickets for help on using tickets.