symlink issues after server migration + ruid2

[itsensellc]

Hello,

I'm in the process of migrating accounts from a system that was running Apache 2.2 with no form of suexec to Apache 2.4 with mod_ruid2 and I'm running into symlink issues that are driving me insane. Here's the layout of the land:

/home/admin/domains/domain.com/public_html/folder/uploads/images contains several subfolders that each contains several images. On the old system the images folder is owned by admin, but all subfolders are owned by apache and all files as well. On the new system I changed all ownership to admin since it's running ruid2. Folders are 755, files are 755 (for now).

I then have another account, call it joe, that has 30 domains and each domain has a symlink to the folder above. So:

/home/joe/public_html/images would be a symlink to the /home/admin/domains/domain.com/public_html/folder/uploads/images. That symlink is owned by admin.admin and is 777.

This setup worked with issue on the old system. It's not working on the new one and to make matter worse I'm not getting much in the way of feedback why. The apache error logs show Symbolic link not allowed or link target not accessible. strace just shows a permission denied error. I've tried all kinds of combinations of ownership and I cannot figure out what it's looking for or what user it's trying to access those files as.

I suspect this is something particular to ruid2 I don't understand but I have no idea what to do at this point and the interweb hasn't been too helpful. Any help would be appreciated!

 

[ditto]

Maybe your old server was running a outdated old directadmin version? If so, that old server might not have secure access group enabled. With secure access group I don't think you can symlink from another user to another user. Please see http://www.directadmin.com/features.php?id=961

 

[itsensellc]

Nope it's running 1.49.1. The old server doesn't use secure_access_group either.

 

[itsensellc]

I just figured out this has nothing to do with ruid2. I su'ed to joe, and then tried a stat command against the symbolic link. That nets me a permission denied error. Perplexing.

 

[ditto]

secure access group is enabled by default on new installs. So, are you sure you have disabled it on the new server?

 

[itsensellc]

I'm sorry. I was looking in the complete wrong place and you are right.

On the old server, no suexec so the apache process is executing as the apache user and apache is part of the secure access group which in turn grants it the proper access into /home/admin. On the new server since I'm running ruid2 it's executing at joe and joe is not part of the secure access group.

So the simple, albeit maybe not ideal world fix is add joe to access. This isn't a shared server so I don't *think* that poses any issues?

 

[itsensellc]

Although this did solve the stat issue and I am able to access the symlink as the user now, it still hasn't solved the problem with the webserver. I don't get it!

Time for a beer!

 

[ditto]

I don't think I can be of much more help, maybe someone else knows what it could be? Only thing I can think of is if you have restarted apache after adding joe to access group? If not, I think you should try it. This is from the http://www.directadmin.com/features.php?id=961:

Note that a restart of all services will be required if you change this group for existing users. I have not determined why this is, but appears to be some strange permission caching on the system where is doesn't recognize the new group instantly. After restarting the services, the new group value is recognized.