[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#491547: web server policy requires /var/www, not in FHS

On Thu, Jan 02, 2014 at 02:00:39PM +0100, Arno Töll wrote:
> Hi,
> 
> even more so a discussion on debian-devel [1] came to the conclusion
> that /var/www as a document root is security-wise a bad default for web
> servers.
> 
> Therefore, we, Apache maintainers, decided to change the default
> document root to /var/www/html (#730372). This might be seen as a policy
> violation as of §11.5, but we do not violate the FHS as this directory
> does not exist there.

Hello Arno,

Are the other HTTP engines going to also change the default document root to
/var/www/html ?

> I'm not sure about the state of the FHS when this bug was filed, but to
> date /srv exists per FHS as a place to put organization-local files,
> e.g. document roots which is a replacement to /var/www _to users_. We,
> as a maintainer cannot use /srv straight though to avoid information
> leaks. Moreover, we must neither assume any organization-local directory
> structure below /srv.

> Please clarify this ambiguity in the policy.

But practically what are you sugesting ?
Add a FHS exception for /var/www/html and change the document root in
policy ?

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.
Reply to: