Bug#23661: usr/doc should not be accessible through http servers by default
On Tue, Jun 20, 2000 at 02:35:45PM +0200, Petr Cech wrote:
> On Tue, Jun 20, 2000 at 09:58:01AM +0100 , Julian Gilbey wrote:
> > Here's an issue. About two years ago there was a proposal that the
> > default httpd setup should not allow /usr/doc to be remotely
> > accessible, as it's a huge security risk. (Yes, we're talking about a
> > small amount of "security through obscurity" here, but we don't need
> > to hand crackers this information on a golden plate.)
> > Nothing appears to have been done about it.
> there was. At least in recent apache
Ah, but let us keep in mind that Apache is not the only httpd in
Debian. I'm sure it's a nice server, but I'm also sure it's overkill
for my workstation, so I don't use it.
There does seem to be a bit of a tendency among some people to say
"all httpd problems can be fixed by fixing Apache," which simply isn't
true. We also have at least: aolserver, boa (my fav), cern-httpd,
dhttpd and roxen. And that's not even looking at non-free.
--
Chris Waters xtifr@dsp.net | I have a truly elegant proof of the
or xtifr@debian.org | above, but it is too long to fit into
| this .signature file.
Reply to: