Re: Debian web servers giving out too much info
On Sun, 28 Sep 1997, Brandon Mitchell wrote:
> I'm just curious about the default behavior of debian web servers. As
> the policy states, they should all have /usr/doc directories linked to
> doc/. While this is great for local use, and on any machine I administer,
> doesn't this seem to give out a bit too much info? E.g. someone knows
> that a certain program has a big hole in it that debian hasn't fixed yet
> (or that not many users have upgraded yet). They can then go into the doc
> directory through my web server and see whether I have it installed or
> not. Is it possible to make this info accessable by local users only be
> default or to prompt the user during installation? (I know I can cancel
> this easily by a manual tweak.)
Currently wn allows any user access to the /var/www/doc hierarchy
through the update-www program. It shouldn't be difficult to modify
it to use customized access control.
However, this does raise the issue on how the users are authenticated.
Currently, wn uses basic authentication which means the passwords are
passed in the clear over the Internet. It would therefore not be safe
to use the /etc/passwd entries. wn also support digest and kerberos 4
authentication but I don't know of any http clients that do.
--
Jean Pierre
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: