Bug#491547: web server policy requires /var/www, not in FHS
On Thu, Jan 02, 2014 at 02:00:39PM +0100, Arno Töll wrote:
> Hi,
>
> even more so a discussion on debian-devel [1] came to the conclusion
> that /var/www as a document root is security-wise a bad default for web
> servers.
>
> Therefore, we, Apache maintainers, decided to change the default
> document root to /var/www/html (#730372). This might be seen as a policy
> violation as of §11.5, but we do not violate the FHS as this directory
> does not exist there.
Hello Arno,
Are the other HTTP engines going to also change the default document root to
/var/www/html ?
> I'm not sure about the state of the FHS when this bug was filed, but to
> date /srv exists per FHS as a place to put organization-local files,
> e.g. document roots which is a replacement to /var/www _to users_. We,
> as a maintainer cannot use /srv straight though to avoid information
> leaks. Moreover, we must neither assume any organization-local directory
> structure below /srv.
> Please clarify this ambiguity in the policy.
But practically what are you sugesting ?
Add a FHS exception for /var/www/html and change the document root in
policy ?
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: