Bug#246139: apache2-common: apache2.conf should include the "UserDir disabled root" directive

[Matt Zimmerman <mdz@debian.org>]

tags 246139 - security
thanks

On Tue, Apr 27, 2004 at 03:50:36PM +0200, Paul Wagland wrote:

> Package: apache2-common
> Version: 2.0.49-1
> Severity: normal
> Tags: security
> 
> In the docs for the UserDir tag they explicitly state that root
> should always have it's UserDir turned off, irrespective of other
> users. See http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir

There are already two layers of protection for that particular case (the
UserDir is set to a sane value, and the default Directory block denies
access to the entire filesystem hierarchy by default).

I don't think there would be anything wrong with adding "UserDir disabled
root", but there is no security issue here presently.

-- 
 - mdz