Re: Bug#23661: usr/doc should not be accessible through http servers by default
On Tue, 20 Jun 2000, Julian Gilbey wrote:
> Here's an issue. About two years ago there was a proposal that the
> default httpd setup should not allow /usr/doc to be remotely
> accessible, as it's a huge security risk. (Yes, we're talking about a
> small amount of "security through obscurity" here, but we don't need
> to hand crackers this information on a golden plate.)
>
> Nothing appears to have been done about it.
>
> Where do we go from here? Do we steam ahead and make it policy or
> what? Are there any good reasons why this *shouldn't* be done?
I guess it depends somewhat on what you mean by `remotely'. I suspect you
mean "anything other than the localhost".
I can think of one situation for which this is inconvenient. If I set up
a local net full of debian machines, only one of which is running a web
server, this change would prevent me from using the web to browse the docs
from all the machines but one.
I won't argue that this is a "good" reason not to make the change.
It is not a tremendous burden on the admin to fix up, but a note somewhere
(`README.Debian'? :-)) on how to enable access for a local network would
not be amiss.
-Steve
Reply to: