Bug#100631: [PROPOSAL] Restrict http access to /usr/share/doc
In going over some ancient policy proposals, I came across #23661,
which proposed eliminating default http access to /usr/share/doc. The
conversation wandered off into the usual "we shouldn't have services
remotely accessible by default" discussion, but I'd like to make the
following specific proposal (in section 12.5, bullet item 2:)
--- policy.sgml.orig Tue Jun 12 11:27:48 2001
+++ policy.sgml Tue Jun 12 11:34:47 2001
@@ -6494,6 +6494,13 @@
+ The web server should restrict access to the document
+ tree so that only clients on the same host can read
+ the documents. If the web server does not support such
+ access controls, then it should not provide access at
+ all, or ask about providing access during installation.
<item><p>Web Document Root</p>
I would not object to an ammendment that removed "not provide access
at all, or " from the second sentence. I would object to changing the
shoulds to musts, as the present condition has long history, and I don't
see this as a critical change.
Note that in the discussion of 23661 (http://bugs.debian.org/23661)
it was concluded that though to some extent this is "security through
obscurity", handing a cracker your complete list of installed software
was probably not a good idea.
I'm asking for seconds.