Bug#23661: usr/doc should not be accessible through http servers by default
On Tue, Jun 20, 2000 at 09:58:01AM +0100 , Julian Gilbey wrote:
> Here's an issue. About two years ago there was a proposal that the
> default httpd setup should not allow /usr/doc to be remotely
> accessible, as it's a huge security risk. (Yes, we're talking about a
> small amount of "security through obscurity" here, but we don't need
> to hand crackers this information on a golden plate.)
>
> Nothing appears to have been done about it.
there was. At least in recent apache
# Debian Policy assumes /usr/doc is "/doc/", at least from the localhost.
#
<Directory /usr/doc>
Options Indexes FollowSymLinks
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory>
> Where do we go from here? Do we steam ahead and make it policy or
> what? Are there any good reasons why this *shouldn't* be done?
>
> Julian
Petr Cech
--
Debian GNU/Linux maintainer - www.debian.{org,cz}
cech@atrey.karlin.mff.cuni.cz
Those who don't understand Unix are condemned to reinvent it, poorly.
Reply to: