Bug#681283: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.

To: <submit@bugs.debian.org>
Subject: Bug#681283: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.
From: Anonymous <noreply@breaka.net>
Date: Wed, 11 Jul 2012 21:51:52 -0400
Message-id: <[🔎] 2b5f4e3b0e0e9803e742a8012bd7ee58@breaka.net>
Reply-to: Anonymous <noreply@breaka.net>, 681283@bugs.debian.org

Package: apache2-mpm-prefork
Version: 2.2.16-6+squeeze7
Severity: minor

This builds on what already exists in httpd.conf.
<Files ~ "^\.(ht|ssh)">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>
AliasMatch /\.(ht|ssh) /non-existant-page

The AliasMatch may seam to overrid the first part, but I though that
it may be commented by default.  The goal here is to allow the www-data
user to have a non-existant .ssh configuration with un-password protected
private keys to be used in accessing remote git
repositories(gitolite/Ruby-Passanger/GitLab) omong other things.

I also request that since /var/www is this users home folder AND
also DocumentRoot that usual user configuration files be added to
this list.  It may seam prudent to simply seperate the two, however at
this point I'd say that you may be breaking a known convention.  Thus
I wouldn't recommend that.

Other files I was thinking of:
.Xauthority
.procmailrc
.gnupg
Mail|Maildir (perhaps)
.rnd
.pulse(|-cookie)
.bash_history
.gconf
.config
.cache
.ecryptfs
.subversion
.(gnome2|gnome)
.gconfd
.bazaar
.dbus

Plus commented rules to hide or secure common RCS folders and files:
,v$
/CVS
/RCS
...ect.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic auth_kerb authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires mime
  negotiation passenger php5 reqtimeout rewrite setenvif
List of enabled php5 extensions:
  pdo pdo_pgsql pgsql suhosin

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (907, 'stable'), (906, 'stable'), (905, 'stable'), (904, 'stable'), (903, 'stable'), (902, 'stable'), (330, 'testing'), (320, 'testing'), (310, 'testing'), (230, 'testing-proposed-updates'), (220, 'testing-proposed-updates'), (210, 'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2-mpm-prefork depends on:
ii  apache2.2-bin          2.2.16-6+squeeze7 Apache HTTP Server common binary f
ii  apache2.2-common       2.2.16-6+squeeze7 Apache HTTP Server common files

apache2-mpm-prefork recommends no packages.

apache2-mpm-prefork suggests no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#680993: libaprutil1-dbd-mysql: AuthDBDUserPWQuery (Module mod_dbd.c) for MySQL doesn't allow SQL statement with a stored procedure
Next by Date: Bug#681541: apache2: add -q option to a2query
Previous by thread: Bug#680993: libaprutil1-dbd-mysql: AuthDBDUserPWQuery (Module mod_dbd.c) for MySQL doesn't allow SQL statement with a stored procedure
Next by thread: Bug#681541: apache2: add -q option to a2query
Index(es):
- Date
- Thread