Symlink permission denied allthough same owner

[priestjim]

Hi!

I am experiencing an issue with LS Enterprise 4.0.3, symlinks and AWStats. More specifically, as Plesk Panel structures its statistics directory, you will see below:

ls -l /var/www/vhosts/xxx/statistics/webstat
drwxr-xr-x  2 root root     4096 May  4 03:17 2009-05
[...]
lrwxrwxrwx  1 root root        7 May  4 03:16 current -> 2009-05
-rwxr-xr-x  1 root psaserv   457 May  4 03:17 index.html
-rwxr-xr-x  1 root root     1119 May  4 03:17 nav.html

ls -l /var/www/vhosts/xxx/statistics/webstat/2009-05
total 360
[...]
-rw-r--r--  1 root root 82593 May  4 03:16 awstats.xxx-http.html
lrwxrwxrwx  1 root root    34 May  4 03:17 index.html -> awstats.xxx-http.html

that symlink owners match. But when I try to access the statistics page from http://xxx/webstat I get an access forbidden along with this log message:

2009-05-04 07:38:07.830 [INFO] [xx.xx.xx.xx:1172-0#APVH_xxx:80] Found symbolic link, or owner of symbolic link and link target does not match for path [/var/www/vhosts/xxx/statistics/webstat/current/index.html], access denied.

This issue happens with all the hosted domains, and the only workaround is to define a vhost.conf (a la Plesk) with Options +FollowSymlinks inside, which is counterintuitive and must be done manually every time a domain is created.

Is there a solution to this issue?

 

[mistwang]

I think the vhost was configured not to allow symbolic link, since the owner matches, it should not be a problem if symbolic links are allowed.

I can login to the server to take a look at this issue if you want.

 

[priestjim]

The vhost is configured through apache's confs not LS's confs. In addition, I have checked every conf that LS reads and there are SymlinkIfOwnerMatch directives inside but there should be no problem since the owner matches in our case! It's exactly that, that's weird! mistwang, I'll PM you the login details and some more info ASAP!

Thanks!

 

[priestjim]

I am resuming this bug report as more and more clients of our own complain about not being able to browse the /plesk-stat directory (getting access denied errors).

The issue occurs because the /var/www/vhosts/domain.com/statistics directory that /plesk-stat is an alias of is owned by rootsaserv and has 750 permissions. So Litespeed would seem to behave correctly. However, the apache user that LS is using to operate, apart from being a member of the "apache" group, is also a member of the "psaserv" group. That means that apache should be able to read files that are group readable from a group in which is a member of. But Litespeed does not consider that and thus our clients get the "permission denied" error.

Is there any solution to this problem? Please be aware that Apache did not have this issue.

Thanks!

 

[mistwang]

There is a simple solution.
http://www.litespeedtech.com/docs/webserver/config/general/#phpSuExec

set it to "User's Home Directory Only"

 

[priestjim]

Did it, did not work, I still get :

[ERROR] Can not open directory for URI: /plesk-stat/!

 

[mistwang]

Have you restart LSWS?

You need to find out which user that the index script run as, it should run as apache user with all the group permission.

To find it out, you need patch the autoindex script temporarily, with

$id=`id`;
echo $id;

blow all the function definitions. before

$pos = strpos( $_SERVER['REQUEST_URI'], '?' );
if ( $pos === FALSE )
{
$uri = $_SERVER['REQUEST_URI'];
}
else
{
$uri = substr( $_SERVER['REQUEST_URI'], 0, $pos );
}

The autoindex script should be at /path/to/lsws/shared/autoindex/default.php
It will print out the user id information that the script run as.

 

[priestjim]

OK, fixed it, it works now. Thanks for the tips! However, I've ran into another issue! A standard vhost httpd.include file in Plesk includes the following lines:

        Alias  /plesk-stat /var/www/vhosts/domain.com/statistics/
        <Location  /plesk-stat/>
                Options +Indexes
        </Location>
        [...]
        Alias  /webstat /var/www/vhosts/domain.com/statistics/webstat
        Alias  /webstat-ssl /var/www/vhosts/domain.com/statistics/webstat-ssl
        [...]
       <Directory "/var/www/vhosts/domain.com/statistics">
                AuthType Basic
                AuthName "Domain statistics"
                AuthUserFile /var/www/vhosts/domain.com/pd/d..httpdocs@plesk-stat
                require  valid-user
        </Directory>

That means that when accessing /plesk-stat (which is an alias to the password-protected statistics directory) I should be presented with an HTTP authentication request, which works correctly. But this also means that I should be presented with an HTTP authentication request when traversing a subdirectory of statistics like /webstat (which is an alias to statistics/webstat) which does not happen! As a result, each client's statistics alias (/webstat, /ftpstat etc) is open for the world to see!

Thanks!

 

[mistwang]

Please download and try 4.0.5 build.