Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 52544

Summary: net-www/apache2 does not set FollowSymLinks for cgi-bin, this breaks webapp-config
Product: Gentoo Linux Reporter: Tom Payne (RETIRED) <twp>
Component: New packagesAssignee: Gentoo Web Application Packages Maintainers <web-apps>
Status: VERIFIED TEST-REQUEST    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 52119    

Description Tom Payne (RETIRED) gentoo-dev 2004-05-31 04:56:32 UTC 
Problem:

CGI scripts installed by webapp-config in /var/www/localhost/cgi-bin fail to run with a 403 Forbidden error.

Reason:

webapp-config "installs" files in /var/www/localhost/cgi-bin by symlinking them to /usr/share/webapps/$PN/$PV/hostroot/cgi-bin. However, by default apache2 refuses to follow symlinks in /var/www/localhost/cgi-bin, so it borks with a 403 error and this in the logs:
[Mon May 31 13:33:39 2004] [error] [client 127.0.0.1] Symbolic link not allowed: /var/www/localhost/cgi-bin/<script>

Solution:

Enable FollowSymLinks for /var/www/localhost/cgi-bin in /etc/apache2/conf/commonapache2.conf

 ###
 ### This is intended for your world-accessible CGI programs.
 ###
 <Directory /var/www/localhost/cgi-bin>
     AllowOverride All
-    Options ExecCGI
+    Options ExecCGI FollowSymLinks
     <IfModule mod_access.c>
       Order allow,deny
       Allow from all
     </IfModule>
 </Directory>

Problems with the solution:

This might be a (minor) security risk. But the alternative it is broken cgi-bin with webapp-config :-(
Comment 1 Tom Payne (RETIRED) gentoo-dev 2004-05-31 04:57:36 UTC 
Versions:

webapp-config 1.9-r3
apache 2.0.49-r2
Comment 2 Chuck Short (RETIRED) gentoo-dev 2004-06-02 12:18:30 UTC 
This should be fixed in the next version of webapp-config. For now please add FollowSymlinks manually.

Thanks
Comment 3 Tom Payne (RETIRED) gentoo-dev 2004-06-04 11:05:38 UTC 
I'm reopening this bug so you can resolved it as FIXED when it's fixed -- it's not RESOLVED WONTFIX because you've just said you're going to fix it :-)

Re-opening it also allows bugs that depend on it to be notified when the fix is available.

Cheers,

Tom
Comment 4 Tom Payne (RETIRED) gentoo-dev 2004-06-04 11:06:30 UTC 
Of course, it's web-apps, not apache-bugs who are going to fix it :-)
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-06-05 03:34:39 UTC 
I'll be putting a ~x86 version of webapp-config-1.10 into Portage later tonight for testing purposes.  This now uses hard links by default, which should address this bug.

Best regards,
Stu
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-06-11 15:16:23 UTC 
Hi,

I've committed v1.10 of webapp-config, which no longer uses symlinks.  This should address your problem.

Please test, and let me know how you get on.

Best regards,
Stu
Comment 7 Stuart Herbert (RETIRED) gentoo-dev 2004-06-26 17:45:41 UTC 
Closing old bug.