Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
Date: 17 Jun 2004 16:08:58 -0000
Message-ID: <20040617160858.24511.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 29647] New:  -
    Strange interaction between "ErrorDocument" directive and
 "SymlinksIfOwnerMatch" option

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29647>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29647

Strange interaction between "ErrorDocument" directive and "SymlinksIfOwnerMatch" option

           Summary: Strange interaction between "ErrorDocument" directive
                    and "SymlinksIfOwnerMatch" option
           Product: Apache httpd-2.0
           Version: 2.0.49
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: flynnj@cs.fiu.edu


This is an odd one, so I'll try to explain it as best as possible.

We're running Apache 2.0.49 on linux with Symlinksifownermatch turned on for
public_html directories. However, when you try to access a file in someone's
webspace through a symlink, even though the owners match, a 403 forbidden is
thrown with this in the error log:

[Thu Jun 17 11:51:55 2004] [error] [client 131.94.133.26] Symbolic link not
allowed: /home/vixen2/flynnj/public_html/link.html

Now, if there is an .htaccess file in the public_html directory, containing ONLY
the following:

ErrorDocument 404 /~flynnj/404.html

...suddenly symlinks are followed correctly! It even does the owner check; if
the symlink is owned by root, I get a 403 forbidden.

Also, the 403 forbidden generated by this seems to behave differently than a
normal 403 forbidden, in that it complains about an "additional 403 forbidden"
accessing the ErrorDocument, which appears just fine when the 403 occurs due to
another reason, such as an unreadable file. There are no other ErrorDocument
declarations in the httpd.conf, so I'm not sure where this could be coming from.

I can clarify and/or provide more information if required. 

Virtualhost with the problem:

<VirtualHost *>
 ServerName www.cs.fiu.edu
 ServerAlias www.cs.fiu.edu
 ServerAdmin webmaster@cs.fiu.edu
 DocumentRoot /depot/http/www.cs.fiu.edu/data
 ErrorLog /depot/http/www.cs.fiu.edu/logs/error_log.apache2
 ErrorDocument 500 /errors/500.html
 ErrorDocument 403 /errors/403.html
 ErrorDocument 404 /errors/404.html
 ReadmeName README
 HeaderName HEADER
 TransferLog /depot/http/www.cs.fiu.edu/logs/access_log.apache2
 CustomLog /depot/http/www.cs.fiu.edu/logs/referer_log.apache2 referer
 CustomLog /depot/http/www.cs.fiu.edu/logs/agent_log.apache2 agent
 CustomLog /depot/http/www.cs.fiu.edu/logs/combined_access_log.apache2 combined
 ScriptLog /depot/http/www.cs.fiu.edu/logs/cgi.log.apache2
 ScriptAlias /cgi-bin/ /depot/http/www.cs.fiu.edu/cgi-bin/
 Alias /icons/ "/depot/http/icons/"
</VirtualHost>


Directory declaration for home directories:

 <Directory /home/*>
  AllowOverride AuthConfig FileInfo Limit Indexes
  Options +SymLinksIfOwnerMatch Indexes Includes +ExecCGI
  php_admin_flag safe_mode on
 </Directory>

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org