[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#341022: default apache2.conf file should deny access to /

> The default configuration file, apache2.conf, of apache2 should have the
> following directory denying directive in apache2.conf instead of the
> 000-default VirtualHost because if a VirtualHost is added and under that
> VirtualHost's DocumentRoot the user makes a symlink to "/", he can
> access the whole filesystem.
> Config lines to be added to /etc/apache2/apache2.conf:
> <Directory />
>         Order Deny,Allow
> 	Deny from all
> </Directory>

I do think this is a good idea. I agree with Tollef that it's always
possible to misconfigure a system, but it would be good if the system
would try to prevent obvious mistakes in its default configurations. 

Allowing access to entire filesystem is hardly ever necessary. A default
policy of denying access to the root filesystem therefore makes sense.
The user can explicitly tell Apache which files *are* allowed.
Mistakes will always be made, and if we can limit their damage, why not
do it?


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: