[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#246139: apache2-common: apache2.conf should include the "UserDir disabled root" directive

* Matt Zimmerman (mdz@debian.org) wrote :
> On Tue, Apr 27, 2004 at 03:50:36PM +0200, Paul Wagland wrote:
> > Package: apache2-common
> > Version: 2.0.49-1
> > Severity: normal
> > Tags: security
> > 
> > In the docs for the UserDir tag they explicitly state that root
> > should always have it's UserDir turned off, irrespective of other
> > users. See http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir
> There are already two layers of protection for that particular case (the
> UserDir is set to a sane value, and the default Directory block denies
> access to the entire filesystem hierarchy by default).
> I don't think there would be anything wrong with adding "UserDir disabled
> root", but there is no security issue here presently.
Agreed. I've added the disabled line now just so that if someone does bodge
their setup locally it shouldn't affect root's homedir.

Reply to: