Apache and Symlinks

Michael Kennedy · 2002-10-22T22:26:04-05:00 (Tuesday)

I'm running into a problem that I need some help on. I'm trying to create a PHP page that will create a symlink to a file depending no what's selected from 2 dynamically filled dropdown boxes (courtesy of JavaScript).

The big question is, can the user "apache" create symlinks? Everything seems to work great, but when I try to run to do the following with PHP I get nothing:

Quote$command = "ln -s /home/blah/filename /var/www/html/filename";
shell_exec($command);

I even went so far as to su to root, then su to apache and try to execute the command. I get the following:

Quote[apache@mandrake html]$ ln -s "/home/blah/filename" "/var/www/html/filename"
ln: creating symbolic link '/var/www/html/filename' to '/home/blah/filename': Permission denied

(BTW- I know this might sound like a no-brainer to you Linux gurus, but su'ing to "apache" is bad :-D. Killed my apache. A soft reboot fixed the problem, though.)

I then changed permissions on the files, changed ownership, etc and still can't get the command to work. Any suggestions? Can apache just not make symlinks or anything like that? Or, does anyone know of some other method that would have the same result as what i'm trying to achieve?

Another question- is using symlinks for download links a good idea, bad idea, or does it make any sort of difference? I'm not sure what the security implications of linking a file in apache's root dir to something in, say, /home/zaphod/filename are.

Thanks in advance.

(Note: The dir with this PHP file, as well as the dir the link is being created to are going to be passworded with .htaccess files. I know this sounds odd, but I have a reason for wanting these files to be created and I'm taking appropriate security precautions to ensure that no problems arise from it. This does sound like a security problem waiting to hapopen.)

Peter Motyka · 2002-10-22T23:28:20-05:00 (Tuesday)

You need to make sure apache has read/write/execute on the on dir you are trying to create the symlink in. You could do this by creating an apache group (this may already exists). Set the dir group to apache (chown .apache dir) and then set the mode appropriately (chmod 775 dir).

This should give you a dir that looks like this....

drwxrwxr-x 2 motykowp apache 1024 Oct 23 00:29 test

Peter

Michael Kennedy · 2002-10-23T00:01:18-05:00 (Wednesday)

That was the problem- I was looking at it backwards. I thought the problem was that apache didn't have permission to create the link, but it turns out it did have permission to create it, just not at the location I was wanting to put it. Thanks a bunch, Peter. Now I get to move on to the neater part of the project.

Are there any problems with the method I'm using to create the links? Any security problems that you are aware of with linking to a folder that's inside someone's home directory, for example?

Peter Motyka · 2002-10-23T08:55:03-05:00 (Wednesday)

It is hard to say if there are any security issues you should worry about without seeing the code. But the whole idea of the webserver being able to write to certain areas of the drive is pretty insecure. If you need references to directories, why not store the paths in a SQL database? That way you could associate a certain path with a specific username... or something like that

Peter

William Grim · 2002-10-23T19:18:58-05:00 (Wednesday)

I'd also like to say that as far as I know, Apache does not have permission to travel to locations generated by symlinks. I know this sounds kind of crappy, but it's so people can't follow a symlink in your directory back to say /home and get a listing of usernames.

I'm kind of having a tough time thinking up a good example of this, and I haven't looked into the security issues of this for quite a while. So, my information might either be a little dated or misguided.

I'll look into it later.

Michael Kennedy · 2002-10-23T20:04:25-05:00 (Wednesday)

I can confirm that Apache does have the ability to do that, and to my nkowledge it has for a little while. I know that a good while back (before I really cared to read the posts) I saw something talking about vulnerabilities in Apache when using symlinks into home dirs to give access to files. I don't know if the talk was theoretical or actual. Now I wish I would have read it. I haven't searched too much for information on this, but I'll let you guys know what i find.

Also, Peter- the security of the page isn't much of an issue to me. I have the page sectioned off with .htaccess files, not to mention a fairly simple (meaning- not overly complicated) system for logging in to the page. Plus, I'm the only one that uses it ATM. The symlink vulnerability things are all I'm concerned with right now. I'm thinking of giving a group of people access to those links (on a time basis- they can only d/l from me when I'm asleep or at school, for example), so any info on vulnerabilities would be greatly appreciated. Again, I haven't had time to research it much yet- I wanted to see if it worked before I found out if it was a good idea or not. :)

Thanks again for the help with the permissions thing. I felt like a big dummy when I saw what i was doing wrong. :)

William Grim · 2002-10-23T20:14:13-05:00 (Wednesday)

Aye, it's had the ability to travel to symlinks for a while, but it's generally kept turned off for the reason I mentioned.

I don't know how you would time-limit use of symlinks; you'd probably have to run a cron job or your own program to set permissions for you at a certain time of day.

Michael Kennedy · 2002-10-23T22:08:45-05:00 (Wednesday)

That's exactly what I'm going to do. This is a toy, basically. I'm just screwing around and writing a few little utilities in PHP for fun right now.