Bug#246139: apache2-common: apache2.conf should include the "UserDir disabled root" directive
* Matt Zimmerman (mdz@debian.org) wrote :
> On Tue, Apr 27, 2004 at 03:50:36PM +0200, Paul Wagland wrote:
>
> > Package: apache2-common
> > Version: 2.0.49-1
> > Severity: normal
> > Tags: security
> >
> > In the docs for the UserDir tag they explicitly state that root
> > should always have it's UserDir turned off, irrespective of other
> > users. See http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir
>
> There are already two layers of protection for that particular case (the
> UserDir is set to a sane value, and the default Directory block denies
> access to the entire filesystem hierarchy by default).
>
> I don't think there would be anything wrong with adding "UserDir disabled
> root", but there is no security issue here presently.
>
Agreed. I've added the disabled line now just so that if someone does bodge
their setup locally it shouldn't affect root's homedir.
-Thom
Reply to: