Arch Linux

vecino

Member

Registered: 2022-12-10

Posts: 139

[SOLVED] lighttpd 1.4.71 and symbolic links

Hi, I feel a bit silly, but I've been struggling with lighttpd 1.4.71 and symbolic links for quite a while now.

I have a very basic configuration. I added the option: server.follow-symlink = "enable" even though I know it is enabled by default according to the documentation.

❯ cat /etc/lighttpd/lighttpd.conf

server.port             = 80
server.username         = "http"
server.groupname        = "http"
server.document-root    = "/srv/http"
server.errorlog         = "/var/log/lighttpd/error.log"
dir-listing.activate    = "enable"
server.follow-symlink   = "enable"
server.bind             = "10.107.80.1"
index-file.names        = ( "index.html" )
mimetype.assign         = (
                                ".html" => "text/html",
                                ".txt" => "text/plain",
                                ".css" => "text/css",
                                ".js" => "application/x-javascript",
                                ".jpg" => "image/jpeg",
                                ".jpeg" => "image/jpeg",
                                ".gif" => "image/gif",
                                ".png" => "image/png",
                                "" => "application/octet-stream"
                        )

I've tried playing around with file permissions, changing the owner to "http", but nothing helped.

❯ ls -ls /srv/http

total 6044
2544 -rw-r--r-- 1 vecino vecino 2601013 Jul 28 20:46 frr-8.5.2-1-x86_64-5ebb9c9.pkg.tar.zst
2768 -rw-r--r-- 1 vecino vecino 2833639 Aug 26 14:19 frr-9.0-4-x86_64-0c4d2fd.pkg.tar.zst
 732 -rw-r--r-- 1 root   root    747113 May 26 15:32 libyang-2.1.80-1-x86_64.pkg.tar.zst
   0 lrwxrwxrwx 1 http   http        10 Aug 27 12:53 test -> /root/test

The webserver will not display symlink "test".

Name↓	Last Modified:	Size:	Type:
frr-8.5.2-1-x86_64-5ebb9c9.pkg.tar.zst	2023-Jul-28 20:46:32	2.4M	application/octet-stream
frr-9.0-4-x86_64-0c4d2fd.pkg.tar.zst	2023-Aug-26 14:19:38	2.7M	application/octet-stream
libyang-2.1.80-1-x86_64.pkg.tar.zst	2023-May-26 15:32:01	729.6K	application/octet-stream

I'm sure it's some stupidity (mine) again, but I couldn't figure it out on my own. Thanks

https://redmine.lighttpd.net/projects/l … nksDetails

Last edited by vecino (2023-08-28 19:01:51)

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,104

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

stat /root

The process owned by http is *hopefully* not able to enter /root and you cannot circumvent that w/ a symlink of different ownership.

Try the problem w/ a less protected destination eg. into /tmp/test

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

Yes, I thought that "/root" was overprotected, but it doesn't work from /tmp/test either:

❯ stat /root

  File: /root
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 8,1     Inode: 262153      Links: 9
Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-12-17 22:14:49.838881221 +0100
Modify: 2023-08-27 14:09:11.989660609 +0200
Change: 2023-08-27 14:09:11.989660609 +0200
 Birth: 2022-12-17 18:52:05.745884726 +0100

/tmp/test ❯ ls

total 4
4 -rw-r--r-- 1 http http 5 Aug 27 14:08 myfile

❯ ls -ls /srv/http

total 6044
2544 -rw-r--r-- 1 vecino vecino 2601013 Jul 28 20:46 frr-8.5.2-1-x86_64-5ebb9c9.pkg.tar.zst
2768 -rw-r--r-- 1 vecino vecino 2833639 Aug 26 14:19 frr-9.0-4-x86_64-0c4d2fd.pkg.tar.zst
 732 -rw-r--r-- 1 root   root    747113 May 26 15:32 libyang-2.1.80-1-x86_64.pkg.tar.zst
   0 lrwxrwxrwx 1 root   root        16 Aug 27 14:08 myfile -> /tmp/test/myfile
   0 lrwxrwxrwx 1 root   root        10 Aug 27 12:53 test -> /root/test

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,104

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

Next test, don't cross the filesystem, ie. have the destination on teh same FS as /srv/http
Last: stay below /srv/http

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

I'm sorry, seth, what do you mean? What do you want me to do? I still have "server.document-root = "/srv/http"" in my configuration, but I'm still not able to work with symlinks.

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,104

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

You try a symlink that targets into /srv/http/somewhere/something, if that works als one that is on the same filesystem as /srv/http (the root filesystem) and not a different mountpoint (tmpfs on /tmp)
There're multiple layers of protection you'll have to obey or configure away to prevent http clients access to the system.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

I understand now... you're right, that's it works.

0 lrwxrwxrwx 1 root   root        32 Aug 27 15:41 myfile.txt -> /srv/http/test1/test2/myfile.txt

I need to achieve so I can use a symlink outside the system.

Device     Boot    Start       End   Sectors   Size Id Type
/dev/sda1           2048  20973567  20971520    10G 83 Linux
/dev/sda2       20973568 976773167 955799600 455.8G 83 Linux

❯ mount | grep sda
/dev/sda1 on / type ext4 (rw,noatime,discard,errors=remount-ro)
/dev/sda2 on /mnt/samba type ext4 (rw,noatime,discard,errors=remount-ro)

I know it's probably not  safe, but I only want it temporarily. Because my system disk sda1 is small ... so I need to temporarily share a +-40GB file via webserver from sda2.

Is there any way I can temporarily deactivate this protection? Or run lighttpd as root?

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,104

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

Did you consider using a bind mount to map the desired path into /srv/http ?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

Not at all - I didn't even think of it... I'm inexperienced... I'm supposed to try by:

3.7 Bind mount - https://wiki.archlinux.org/title/fstab + https://man.archlinux.org/man/mount.8#B … _operation ?

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,104

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

You can but don't have to use fstab, but  yes, that's what I meant (notice that it also allows ro mounts to shield the data)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

loqs

Member

Registered: 2014-03-06

Posts: 18,930

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

See also BindPaths= and BindReadOnlyPaths= in https://man.archlinux.org/man/core/syst … 5.en#PATHS

vecino

Member

Registered: 2022-12-10

Posts: 139

Re: [SOLVED] lighttpd 1.4.71 and symbolic links

Thanks again to seth for the great tips. I achieved what I wanted to through BindPaths= and BindReadOnlyPaths= ... These are powerful yet relatively easy ways to achieve what you want.