29647 – Strange interaction between "ErrorDocument" directive and "SymlinksIfOwnerMatch" option

Bug 29647 - Strange interaction between "ErrorDocument" directive and "SymlinksIfOwnerMatch" option

Summary: Strange interaction between "ErrorDocument" directive and "SymlinksIfOwnerMat...

Status:	RESOLVED DUPLICATE of bug 36783

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Core (show other bugs)
Version:	2.0.49
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-06-17 16:08 UTC by John Flynn
Modified:	2010-07-20 09:41 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Flynn 2004-06-17 16:08:57 UTC

This is an odd one, so I'll try to explain it as best as possible.

We're running Apache 2.0.49 on linux with Symlinksifownermatch turned on for
public_html directories. However, when you try to access a file in someone's
webspace through a symlink, even though the owners match, a 403 forbidden is
thrown with this in the error log:

[Thu Jun 17 11:51:55 2004] [error] [client 131.94.133.26] Symbolic link not
allowed: /home/vixen2/flynnj/public_html/link.html

Now, if there is an .htaccess file in the public_html directory, containing ONLY
the following:

ErrorDocument 404 /~flynnj/404.html

...suddenly symlinks are followed correctly! It even does the owner check; if
the symlink is owned by root, I get a 403 forbidden.

Also, the 403 forbidden generated by this seems to behave differently than a
normal 403 forbidden, in that it complains about an "additional 403 forbidden"
accessing the ErrorDocument, which appears just fine when the 403 occurs due to
another reason, such as an unreadable file. There are no other ErrorDocument
declarations in the httpd.conf, so I'm not sure where this could be coming from.

I can clarify and/or provide more information if required. 

Virtualhost with the problem:

<VirtualHost *>
 ServerName www.cs.fiu.edu
 ServerAlias www.cs.fiu.edu
 ServerAdmin webmaster@cs.fiu.edu
 DocumentRoot /depot/http/www.cs.fiu.edu/data
 ErrorLog /depot/http/www.cs.fiu.edu/logs/error_log.apache2
 ErrorDocument 500 /errors/500.html
 ErrorDocument 403 /errors/403.html
 ErrorDocument 404 /errors/404.html
 ReadmeName README
 HeaderName HEADER
 TransferLog /depot/http/www.cs.fiu.edu/logs/access_log.apache2
 CustomLog /depot/http/www.cs.fiu.edu/logs/referer_log.apache2 referer
 CustomLog /depot/http/www.cs.fiu.edu/logs/agent_log.apache2 agent
 CustomLog /depot/http/www.cs.fiu.edu/logs/combined_access_log.apache2 combined
 ScriptLog /depot/http/www.cs.fiu.edu/logs/cgi.log.apache2
 ScriptAlias /cgi-bin/ /depot/http/www.cs.fiu.edu/cgi-bin/
 Alias /icons/ "/depot/http/icons/"
</VirtualHost>


Directory declaration for home directories:

 <Directory /home/*>
  AllowOverride AuthConfig FileInfo Limit Indexes
  Options +SymLinksIfOwnerMatch Indexes Includes +ExecCGI
  php_admin_flag safe_mode on
 </Directory>

Comment 1 John Flynn 2004-06-23 16:26:48 UTC

Just wondering,

Is anyone actually reading these bug reports? I looked at a bunch of others and
they're all unanswered, just like this one...

-John

Comment 2 Jeff Trawick 2004-06-23 16:36:36 UTC

The short answer is "yes."  You probably don't want to hear the long answer.
Word to the wise: Look in the several CHANGES files in the source distribution
for the string " PR " and consider how those issues were addressed.

Comment 3 Joe Orton 2005-02-24 17:38:23 UTC

Is this still reproducible in 2.0.53? Can you reduce it to a minimal set of
changes to the stock httpd.conf?  A simple attempt to reproduce here (outside a
vhost, notably) didn't show the problem.

Comment 4 Nick Kew 2010-07-20 09:41:44 UTC

Not sure if it's an exact duplicate, but if not (and if it's not already fixed), 2.0 is too old.

*** This bug has been marked as a duplicate of bug 36783 ***