Symlink permission denied allthough same owner

Discussion in 'Bug Reports' started by priestjim, May 4, 2009.

  1. priestjim

    priestjim Well-Known Member


    I am experiencing an issue with LS Enterprise 4.0.3, symlinks and AWStats. More specifically, as Plesk Panel structures its statistics directory, you will see below:

    ls -l /var/www/vhosts/xxx/statistics/webstat
    drwxr-xr-x  2 root root     4096 May  4 03:17 2009-05
    lrwxrwxrwx  1 root root        7 May  4 03:16 current -> 2009-05
    -rwxr-xr-x  1 root psaserv   457 May  4 03:17 index.html
    -rwxr-xr-x  1 root root     1119 May  4 03:17 nav.html
    ls -l /var/www/vhosts/xxx/statistics/webstat/2009-05
    total 360
    -rw-r--r--  1 root root 82593 May  4 03:16
    lrwxrwxrwx  1 root root    34 May  4 03:17 index.html ->
    that symlink owners match. But when I try to access the statistics page from http://xxx/webstat I get an access forbidden along with this log message:

    2009-05-04 07:38:07.830 [INFO] [xx.xx.xx.xx:1172-0#APVH_xxx:80] Found symbolic link, or owner of symbolic link and link target does not match for path [/var/www/vhosts/xxx/statistics/webstat/current/index.html], access denied.

    This issue happens with all the hosted domains, and the only workaround is to define a vhost.conf (a la Plesk) with Options +FollowSymlinks inside, which is counterintuitive and must be done manually every time a domain is created.

    Is there a solution to this issue?
  2. mistwang

    mistwang LiteSpeed Staff

    I think the vhost was configured not to allow symbolic link, since the owner matches, it should not be a problem if symbolic links are allowed.

    I can login to the server to take a look at this issue if you want.
  3. priestjim

    priestjim Well-Known Member

    The vhost is configured through apache's confs not LS's confs. In addition, I have checked every conf that LS reads and there are SymlinkIfOwnerMatch directives inside but there should be no problem since the owner matches in our case! It's exactly that, that's weird! mistwang, I'll PM you the login details and some more info ASAP!

  4. priestjim

    priestjim Well-Known Member

    I am resuming this bug report as more and more clients of our own complain about not being able to browse the /plesk-stat directory (getting access denied errors).

    The issue occurs because the /var/www/vhosts/ directory that /plesk-stat is an alias of is owned by root:psaserv and has 750 permissions. So Litespeed would seem to behave correctly. However, the apache user that LS is using to operate, apart from being a member of the "apache" group, is also a member of the "psaserv" group. That means that apache should be able to read files that are group readable from a group in which is a member of. But Litespeed does not consider that and thus our clients get the "permission denied" error.

    Is there any solution to this problem? Please be aware that Apache did not have this issue.

  5. mistwang

    mistwang LiteSpeed Staff

  6. priestjim

    priestjim Well-Known Member

    Did it, did not work, I still get :

    [ERROR] Can not open directory for URI: /plesk-stat/!
  7. mistwang

    mistwang LiteSpeed Staff

    Have you restart LSWS?

    You need to find out which user that the index script run as, it should run as apache user with all the group permission.

    To find it out, you need patch the autoindex script temporarily, with

    blow all the function definitions. before
    The autoindex script should be at /path/to/lsws/shared/autoindex/default.php
    It will print out the user id information that the script run as.
  8. priestjim

    priestjim Well-Known Member

    OK, fixed it, it works now. Thanks for the tips! However, I've ran into another issue! A standard vhost httpd.include file in Plesk includes the following lines:

            Alias  /plesk-stat /var/www/vhosts/
            <Location  /plesk-stat/>
                    Options +Indexes
            Alias  /webstat /var/www/vhosts/
            Alias  /webstat-ssl /var/www/vhosts/
           <Directory "/var/www/vhosts/">
                    AuthType Basic
                    AuthName "Domain statistics"
                    AuthUserFile /var/www/vhosts/
                    require  valid-user
    That means that when accessing /plesk-stat (which is an alias to the password-protected statistics directory) I should be presented with an HTTP authentication request, which works correctly. But this also means that I should be presented with an HTTP authentication request when traversing a subdirectory of statistics like /webstat (which is an alias to statistics/webstat) which does not happen! As a result, each client's statistics alias (/webstat, /ftpstat etc) is open for the world to see!

  9. mistwang

    mistwang LiteSpeed Staff

    Please download and try 4.0.5 build.

Share This Page