[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Changing the default document root for HTTP server

(please keep replies limited to -devel; I'd just like to point relevant
maintainers to this thread)

I'd like to discuss a change related to the default document root for
HTTP servers in Debian. On behalf of the Apache maintainers I consider
this change a worthwhile idea, but we would like to reach consensus
among developers in general and HTTP server maintainers in particular
before pushing any change.

Currently, all web servers (as far as I am aware) are being installed
with the default document root pointing to /var/www. Let me point out
this change is _not_ going to affect existing web application packages -
these are already installed to /usr/share/application (or similar) and
are typically configured as an overlay alias into the web server (e.g.
by using a global /packagename alias or  whatever the preferred
methodology for a particular web server is). Thus this change does not
have any effects on existing packages in Debian (with one exception, see

First, consider the status quo:

* Local site administrators tend to put virtual hosts into
/var/www/sitename/htdocs or something similar. Nonetheless the default
configuration for several web servers allows access to /var/www
directly. Thus, an attacker could potentially access sensitive data by
connecting to the default virtual host instead of the configured site
unless in some scenarios unless the default configuration was
modified/disabled. Consider reading #340947 for more background.

* Using /var/www as document root violates the File Hierarchy Standard.
/var is suggested to be used for "spool directories and files,
administrative and logging data, and transient and temporary files".

Unless I'm missing something there is no better location for HTTP
documents mentioned within the FHS. Note /srv can't be used either as no
path hierarchy is specified for /srv (e.g. think of /srv/www) and we
really do not want to serve the entire /srv hierarchy as a document root

* No package should be using /var/www directly (as per policy §11.5).
However, there is one counter-example: dspam (binary package:
dspam-webfrontend). They rely on suexec which in turn requires a
compiled-in physical path which is not configurable. See #555129 for
more background.

You can see, there is no ideal solution. Thus, I'd like to do a rather
conservative change to switch the default document root for HTTP servers
from /var/www to /var/www/html. This would not need any changes to the
policy and it would not solve the FHS discrepancy. However, it would
come over the remaining problems:

* Users can put sensitive data into /var/www, /var/www/whatever.
* Packages can put their configuration into /var/www/packagename if
/usr/share/packagename is not possible with a slight decreased risk of
unwanted side-effects.
* Compatibility to programs relying on suexec remains intact.
* Average users do not need to disable/edit the default configuration
and they do not need to worry about sensitive information disclosed by
accidentally matching last-resort catch-all name based hosts anymore.

Thus, to summarize once again: I'd like to change the default directory
served by web servers from /var/www to /var/www/html along with
remaining web servers in Debian.


with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: