Opened 11 years ago
Closed 11 years ago
#399 closed defect (invalid)
disable_symlinks return always 403
Reported by: | Janowski Marcin | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | |
Keywords: | disable_symlinks | Cc: | |
uname -a: | Linux web 3.10.4-grsec-sored-domu #22 SMP Thu Aug 22 12:12:33 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.4.1
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module |
Description
Hello, i writing about wrong working disable_symlinks. So, before enable this all www pages works good, but after enable (with options on or if_not_owner, with form= and without) i have 403 error, and in logs:
2013/08/22 19:44:37 [error] 2277#0: *1 open() "/home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html" failed (13: Permission denied), client: 77.255.238.208, server: cokolwiek.redcraft.pl, request: "GET /test.html HTTP/1.1", host: "cokolwiek.redcraft.pl"
This is directory structure:
root@web:~# namei -l /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html f: /home/wmp/www/cokolwiek.redcraft.pl/htdocs/test.html drwx--x--x root root / drwx--x--x root root home drwx--x--- wmp wmp wmp drwxr-xr-x root root www drwxr-xr-x root root cokolwiek.redcraft.pl drwxrwxr-x root wmp htdocs -rw-rw-r-- wmp wmp test.html root@web:~# getfacl /home/wmp getfacl: Removing leading '/' from absolute path names # file: home/wmp # owner: wmp # group: wmp user::rwx user:www-data:--x group::--x mask::--x other::--- root@web:~#
And this is nginx configure:
root@web:~# cat /etc/nginx/nginx.conf user www-data; worker_processes 8; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { # disable_symlinks on; ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # error_log /var/log/nginx/debug.log debug; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } root@web:~# cat /etc/nginx/sites-enabled/test-chujwiejaka.redcraft.pl server { server_name chujwiejaka.redcraft.pl; access_log /home/test/www/chujwiejaka.redcraft.pl/logs/access.log; error_log /home/test/www/chujwiejaka.redcraft.pl/logs/error.log; root /home/test/www/chujwiejaka.redcraft.pl/htdocs; index index.php index.html; autoindex on; location ~ \.php$ { include /etc/nginx/fastcgi_params; fastcgi_index index.php; fastcgi_pass unix:/var/run/nginx/wmp.php-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } root@web:~# cat /etc/nginx/sites-enabled/wmp-cokolwiek.redcraft.pl server { server_name cokolwiek.redcraft.pl; access_log /home/wmp/www/cokolwiek.redcraft.pl/logs/access.log; error_log /home/wmp/www/cokolwiek.redcraft.pl/logs/error.log; root /home/wmp/www/cokolwiek.redcraft.pl/htdocs; index index.php index.html; autoindex on; location ~ \.php$ { include /etc/nginx/fastcgi_params; fastcgi_index index.php; fastcgi_pass unix:/var/run/nginx/wmp.php-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } root@web:~# cat /etc/nginx/sites-enabled/default server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; root /usr/share/nginx/html; index index.html index.htm; # Make site accessible from http://localhost/ server_name localhost; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ /index.html; # Uncomment to enable naxsi on this location # include /etc/nginx/naxsi.rules } location /doc/ { alias /usr/share/doc/; autoindex on; allow 127.0.0.1; allow ::1; deny all; } } root@web:~#
On /home i havent any symlinks:
root@web:~# find /home -type l root@web:~#
and /home is mounted with this options:
/dev/xvda4 on /home type ext4 (rw,noexec,nosuid,nodev,acl)
Ngins working this same with enabled acl, and without acl entry in /home/wmp, chmod 711 /home/wmp and /home mounted withour acl option. This is debug with enable disable_symlinks:
2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:12 op:1 ev:00000001 2013/08/22 19:32:47 [debug] 2672#0: epoll add event: fd:13 op:1 ev:00000001 2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0 2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000070A4B0:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 accept: 77.255.238.208 fd:22 2013/08/22 19:32:49 [debug] 2672#0: *1 event timer add: 22: 60000:1377192829772 2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 1 2013/08/22 19:32:49 [debug] 2672#0: *1 epoll add event: fd:22 op:1 ev:80000001 2013/08/22 19:32:49 [debug] 2672#0: post event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: delete posted event 000000000076CE60 2013/08/22 19:32:49 [debug] 2672#0: accept on 0.0.0.0:80, ready: 0 2013/08/22 19:32:49 [debug] 2672#0: posix_memalign: 000000000073EF50:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *2 accept: 77.255.238.208 fd:23 2013/08/22 19:32:49 [debug] 2672#0: *2 event timer add: 23: 60000:1377192829773 2013/08/22 19:32:49 [debug] 2672#0: *2 reusable connection: 1 2013/08/22 19:32:49 [debug] 2672#0: *2 epoll add event: fd:23 op:1 ev:80000001 2013/08/22 19:32:49 [debug] 2672#0: *1 post event 000000000076CF98 2013/08/22 19:32:49 [debug] 2672#0: *1 delete posted event 000000000076CF98 2013/08/22 19:32:49 [debug] 2672#0: *1 http wait request handler 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 000000000073F060:256 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 malloc: 0000000000717DC0:1024 2013/08/22 19:32:49 [debug] 2672#0: *1 recv: fd:22 387 of 1024 2013/08/22 19:32:49 [debug] 2672#0: *1 reusable connection: 0 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 00000000007181D0:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line 2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /test.html HTTP/1.1" 2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/test.html" 2013/08/22 19:32:49 [debug] 2672#0: *1 http args: "" 2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "html" 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line 2013/08/22 19:32:49 [debug] 2672#0: *1 event timer del: 22: 1377192834777 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request line 2013/08/22 19:32:49 [debug] 2672#0: *1 http request line: "GET /favicon.ico HTTP/1.1" 2013/08/22 19:32:49 [debug] 2672#0: *1 http uri: "/favicon.ico" 2013/08/22 19:32:49 [debug] 2672#0: *1 http args: "" 2013/08/22 19:32:49 [debug] 2672#0: *1 http exten: "ico" 2013/08/22 19:32:49 [debug] 2672#0: *1 posix_memalign: 0000000000740E30:4096 @16 2013/08/22 19:32:49 [debug] 2672#0: *1 http process request header line 2013/08/22 19:32:59 [debug] 2672#0: *2 post event 000000000076D000 2013/08/22 19:32:59 [debug] 2672#0: *2 delete posted event 000000000076D000 2013/08/22 19:32:59 [debug] 2672#0: *2 http wait request handler 2013/08/22 19:32:59 [debug] 2672#0: *2 posix_memalign: 000000000073F170:256 @16 2013/08/22 19:32:59 [debug] 2672#0: *2 malloc: 0000000000717DC0:1024 2013/08/22 19:32:59 [debug] 2672#0: *2 recv: fd:23 0 of 1024 2013/08/22 19:32:59 [info] 2672#0: *2 client closed connection while waiting for request, client: 77.255.238.208, server: 0.0.0.0:80 2013/08/22 19:32:59 [debug] 2672#0: *2 close http connection: 23 2013/08/22 19:32:59 [debug] 2672#0: *2 event timer del: 23: 1377192829773 2013/08/22 19:32:59 [debug] 2672#0: *2 reusable connection: 0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 0000000000717DC0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073EF50, unused: 0 2013/08/22 19:32:59 [debug] 2672#0: *2 free: 000000000073F170, unused: 128
Server works on Ubuntu Server 12.04.
Note:
See TracTickets
for help on using tickets.
Quoting http://nginx.org/r/disable_symlinks: