Bug#23661: usr/doc should not be accessible through http servers by default
On Tue, Jun 20, 2000 at 09:13:47AM -0400, Steve Robbins wrote:
> > Here's an issue. About two years ago there was a proposal that the
> > default httpd setup should not allow /usr/doc to be remotely
> > accessible, as it's a huge security risk. (Yes, we're talking about a
> > small amount of "security through obscurity" here, but we don't need
> > to hand crackers this information on a golden plate.)
> > [...]
> I can think of one situation for which this is inconvenient. If I set up
> a local net full of debian machines, only one of which is running a web
> server, this change would prevent me from using the web to browse the docs
> from all the machines but one.
Admin's responsibility to change this.
> It is not a tremendous burden on the admin to fix up, but a note somewhere
> (`README.Debian'? :-)) on how to enable access for a local network would
> not be amiss.
Essentially this is an implementation issue rather than a policy
issue. Any sysadmin who's setting up a network like that should know
what to do, but I agree that a note would be helpful. I haven't
checked the latest apache package, but such a note might even be
present ;-)
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
Debian GNU/Linux Developer, see http://www.debian.org/~jdg
Donate free food to the world's hungry: see http://www.thehungersite.com/
Reply to: