Re: Bug#23661: usr/doc should not be accessible through http servers by default

[Steve Robbins <steve@nyongwa.montreal.qc.ca>]

On Tue, 20 Jun 2000, Julian Gilbey wrote:

> Here's an issue.  About two years ago there was a proposal that the
> default httpd setup should not allow /usr/doc to be remotely
> accessible, as it's a huge security risk.  (Yes, we're talking about a
> small amount of "security through obscurity" here, but we don't need
> to hand crackers this information on a golden plate.)
> 
> Nothing appears to have been done about it.
> 
> Where do we go from here?  Do we steam ahead and make it policy or
> what?  Are there any good reasons why this *shouldn't* be done?

I guess it depends somewhat on what you mean by `remotely'.  I suspect you
mean "anything other than the localhost".

I can think of one situation for which this is inconvenient.  If I set up
a local net full of debian machines, only one of which is running a web
server, this change would prevent me from using the web to browse the docs
from all the machines but one.

I won't argue that this is a "good" reason not to make the change.

It is not a tremendous burden on the admin to fix up, but a note somewhere
(`README.Debian'?  :-)) on how to enable access for a local network would
not be amiss.

-Steve