Bug#681283: marked as done (apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 08 Jun 2015 15:16:36 +0000
with message-id <5575B1D4.4090400@debian.org>
and subject line Re: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.
has caused the Debian Bug report #681283,
regarding apache2-mpm-prefork: Prevent some files and folders from being viewed o	 clients.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
681283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681283
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: <submit@bugs.debian.org>
• Subject: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.
• From: Anonymous <noreply@breaka.net>
• Date: Wed, 11 Jul 2012 21:51:52 -0400
• Message-id: <2b5f4e3b0e0e9803e742a8012bd7ee58@breaka.net>

Package: apache2-mpm-prefork
Version: 2.2.16-6+squeeze7
Severity: minor

This builds on what already exists in httpd.conf.
<Files ~ "^\.(ht|ssh)">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>
AliasMatch /\.(ht|ssh) /non-existant-page

The AliasMatch may seam to overrid the first part, but I though that
it may be commented by default.  The goal here is to allow the www-data
user to have a non-existant .ssh configuration with un-password protected
private keys to be used in accessing remote git
repositories(gitolite/Ruby-Passanger/GitLab) omong other things.

I also request that since /var/www is this users home folder AND
also DocumentRoot that usual user configuration files be added to
this list.  It may seam prudent to simply seperate the two, however at
this point I'd say that you may be breaking a known convention.  Thus
I wouldn't recommend that.

Other files I was thinking of:
.Xauthority
.procmailrc
.gnupg
Mail|Maildir (perhaps)
.rnd
.pulse(|-cookie)
.bash_history
.gconf
.config
.cache
.ecryptfs
.subversion
.(gnome2|gnome)
.gconfd
.bazaar
.dbus

Plus commented rules to hide or secure common RCS folders and files:
,v$
/CVS
/RCS
...ect.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic auth_kerb authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires mime
  negotiation passenger php5 reqtimeout rewrite setenvif
List of enabled php5 extensions:
  pdo pdo_pgsql pgsql suhosin

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (907, 'stable'), (906, 'stable'), (905, 'stable'), (904, 'stable'), (903, 'stable'), (902, 'stable'), (330, 'testing'), (320, 'testing'), (310, 'testing'), (230, 'testing-proposed-updates'), (220, 'testing-proposed-updates'), (210, 'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2-mpm-prefork depends on:
ii  apache2.2-bin          2.2.16-6+squeeze7 Apache HTTP Server common binary f
ii  apache2.2-common       2.2.16-6+squeeze7 Apache HTTP Server common files

apache2-mpm-prefork recommends no packages.

apache2-mpm-prefork suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 681283-done@bugs.debian.org
• Subject: Re: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients.
• From: Jean-Michel Vourgère <nirgal@debian.org>
• Date: Mon, 08 Jun 2015 15:16:36 +0000
• Message-id: <5575B1D4.4090400@debian.org>

Hello

> This builds on what already exists in httpd.conf.
> <Files ~ "^\.(ht|ssh)">
>     Order allow,deny
>     Deny from all
>     Satisfy all
> </Files>
> AliasMatch /\.(ht|ssh) /non-existant-page
> 
> The AliasMatch may seam to overrid the first part, but I though that
> it may be commented by default.  The goal here is to allow the www-data
> user to have a non-existant .ssh configuration with un-password protected
> private keys to be used in accessing remote git
> repositories(gitolite/Ruby-Passanger/GitLab) omong other things.
> 
> I also request that since /var/www is this users home folder AND
> also DocumentRoot that usual user configuration files be added to
> this list.  It may seam prudent to simply seperate the two, however at
> this point I'd say that you may be breaking a known convention.  Thus
> I wouldn't recommend that.
> 
> Other files I was thinking of:
> .Xauthority
> .procmailrc
> .gnupg
> Mail|Maildir (perhaps)
> .rnd
> .pulse(|-cookie)
> .bash_history
> .gconf
> .config
> .cache
> .ecryptfs
> .subversion
> .(gnome2|gnome)
> .gconfd
> .bazaar
> .dbus
> 
> Plus commented rules to hide or secure common RCS folders and files:
> ,v$
> /CVS
> /RCS
> ...ect.

Since apache 2.4, Debian default DocumentRoot is /var/www/html and is
different from www-data home directory (/var/www).

This enables you to have a /var/www/.ssh/ directory that is not served
by the server.
This also take cares of the examples you quoted above.

Also, /etc/apache2/conf-available/security.conf now contains:
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for
# subversion:
#
#<DirectoryMatch "/\.svn">
#   Require all denied
#</DirectoryMatch>

These are only comments, as you suggested, but it gives the
administrator a good hint about how to protect theses.

So I believe what you asked is done. Therefore, I am closing that bug
report.

Fell free to reopen if you have more specific issues.

-- 
Nirgal

--- End Message ---