Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: something changed about symlinks in 2.64 (or 2.65) |
|
| Author |
|
sebalis
Joined: 03 Oct 2025
Posts: 2
|
 Posted: Fri 03 Oct '25 16:35 Post subject: something changed about symlinks in 2.64 (or 2.65) |
 |
|
Hi,
I run an Apache installation on my private laptop for developing several (mostly static) websites. The OS is Arch Linux and I had not updated it for a while, which is why my Apache version jumped from 2.63 to 2.65 this week. My setup uses symlinks from /srv/http (the default DocumentRoot on Arch) to various subdirectories of my home directory, where I develop these websites. The server is configured to run under my username so that it can access these subdirectories. It’s probably not a secure setup, but of course this web server is not openly accessible – it only listens on 127.0.0.1 except for periods when I access one of my websites from a mobile phone in the same WiFi network.
These symlinks have now stopped working, consistently creating log entries like this one:
[core:error] [pid 185506:tid 185506] [client 127.0.0.1:37546] AH00037: Symbolic link not allowed or link target not accessible: /srv/http/xyz
As explained above, /srv/http/xyz would be a symlink to some directory under my $HOME.
I was able to isolate the problem: I copied one such website to /var/opt using tar (to preserve ownership and access rights) and created a new symlink to this copy. Apache was happy to serve via this symlink.
Also, after swapping out parts of my Apache configuration and looking at a directory index of /srv/http (via “Options Indexes”), which I normally suppress, I can see that a symlink to places like /etc, /var/opt or similar is shown as a clickable directory (with the FollowSymLinks option active, which of course it is the whole time). A symlink to anything under /home does not get listed.
Looking at the release notes, I suspect that this happened in 2.64 because it contains a lot of (security) changes. But I could not see from these notes that the treatment of symlinks had changed. Also, the documentation at https://httpd.apache.org/docs/2.4/en/mod/core.html#options does not indicate that symlinks are given different treatment depending on where they point to.
Apache under Arch reads a few configuration files from /etc/httpd/conf/extra but they are not responsible for the difference either. I have verified this by temporarily nulling all these files.
I’d be grateful for any explanations 
sebalis |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 616
Location: Milford, MA, USA
|
| Posted: Sat 04 Oct '25 17:00 Post subject: |
|
|
The apache code for handling symlinks hasn't changed for many versions.
Using 2.4.65 on ArchLinux, I can only reproduce your problem by altering the permissions of the /home directory.
Check that your /home directory grants execute access to the account that apache runs in. By default, /home grants read and execute to everyone. | Code: | $ ls -lhd /home
drwxr-xr-x 3 root root 4.0K Oct 4 10:40 /home
|
Apache needs execute access to every directory in the symbolic link target path.
-tom- |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 616
Location: Milford, MA, USA
|
| Posted: Sat 04 Oct '25 20:36 Post subject: |
|
|
Another possibility is that you run apache as a SystemD service. If so, check if ProtectHome is set for the httpd service:
systemctl show httpd
If you see ProtectHome=yes in this list, that is a problem. You can remove this SystemD restriction with:
systemctl edit httpd.service
Edit the top of the file to allow read access: | Quote: | ### Editing /etc/systemd/system/httpd.service.d/override.conf
### Anything between here and the comment below will become the contents of the drop-in file
[Service]
ProtectHome=read-only
### Edits below this comment will be discarded
... |
Then, restart apache:
systemctl restart httpd.service
FYI - this creates a file /etc/systemd/system/httpd.service.d/override.conf which overrides the ProtectHome directive in /usr/lib/systemd/system/httpd.service.
This ProtectHome directive is a relatively new feature in SystemD. The only documentation I could find was in /usr/share/doc/systemd/NEWS: | Quote: | * Two new service settings, ProtectHome= and ProtectSystem=,
have been added. When enabled, they will make the user data
(such as /home) inaccessible or read-only and the system
(such as /usr) read-only, for specific services. This allows
very lightweight per-service sandboxing to avoid
modifications of user data or system files from
services. These two new switches have been enabled for all
of systemd's long-running services, where appropriate.
|
I hope this helps.
-tom- |
|
| Back to top |
|
sebalis
Joined: 03 Oct 2025
Posts: 2
|
| Posted: Sat 04 Oct '25 21:04 Post subject: that’s it – solved |
|
|
Yes, ProtectHome was the problem, this setting was changed in the Arch package definition 3 weeks ago. Thank you so much!
I knew I had to choose between asking here or in the Arch forum, and I guessed wrong. Also, at least with hindsight I really should have checked the commit history for that package earlier and would have found it myself then. I’m very impressed that I got my Arch support here anyway. Thanks again
sebalis |
|
| Back to top |
|
|
|
|
|
|
