Bug#23661: marked as done ([REJECTED] /usr/doc should not be accessible through http servers by default)

To: Andreas Barth <aba@not.so.argh.org>
Cc: Debian Policy List <debian-policy@lists.debian.org>
Subject: Bug#23661: marked as done ([REJECTED] /usr/doc should not be accessible through http servers by default)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 28 Mar 2004 08:03:09 -0800
Message-id: <[🔎] handler.23661.D23661.108048872928709.ackdone@bugs.debian.org>
In-reply-to: <20040328154526.GD25294@mails.so.argh.org>
References: <20040328154526.GD25294@mails.so.argh.org> <7mvhpzr4u2.fsf@starbug.rydnet.lysator.liu.se>

Your message dated Sun, 28 Mar 2004 17:45:26 +0200
with message-id <20040328154526.GD25294@mails.so.argh.org>
and subject line Has been fixed for more than six month
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Jun 1998 23:22:47 +0000
Received: (qmail 28749 invoked from network); 17 Jun 1998 23:22:47 -0000
Received: from starbug.rydnet.lysator.liu.se (root@130.236.249.110)
  by debian.novare.net with SMTP; 17 Jun 1998 23:22:47 -0000
Received: by starbug.rydnet.lysator.liu.se
	via sendmail from stdin
	id <m0ymRXR-0002cPC@starbug.rydnet.lysator.liu.se> (Debian Smail3.2.0.101)
	for submit@bugs.debian.org; Thu, 18 Jun 1998 01:22:45 +0200 (CEST) 
To: submit@bugs.debian.org
Subject: Security issue when accessing documentation through an http server
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
From: Martin Stjernholm <mast@lysator.liu.se>
Date: 18 Jun 1998 01:22:45 +0200
Message-ID: <7mvhpzr4u2.fsf@starbug.rydnet.lysator.liu.se>
Lines: 41
X-Mailer: Gnus v5.5/Emacs 19.34

Package: debian-policy
Version: 2.4.1.1
Severity: important

Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc
should be made accessible by a web server. It's not mentioned there
that it would introduce a security weakness if access to those files
isn't restricted to localhost. Almost every package puts files under
/usr/doc, which, if access is unrestricted, makes it possible for
anyone on the network to do a very detailed scan of the installed
software on the computer, including version information in most cases.
This sort of info is a great help for an attacker to choose an
appropriate method to get into the system.

An example is the dhttpd web server package, which has this problem
(see #23659). I haven't checked the other web server packages.

I suggest the manual be more clear on this, and that it states clearly
that a web server package shouldn't provide access through
http://localhost/doc/ if it can't do it securely.

Moreover, I'm sceptic to the whole concept of providing documentation
access on the standard http port; it's a service much like anonymous
ftp, and as such the user should have complete and explicit control
over the information it provides (well, a harmless example homepage
could be excused). Even though a web server properly restricts access,
it's still a limitation of the namespace available to the user; (s)he
can't use /doc/... in any URL without having to break Debian policy
(at least for local users). I can see two solutions:

1.  Use "file://localhost/usr/doc/" instead. I don't know whether this
    is a strictly valid URL or if it's supported by all browsers, but
    otherwise I believe it's the best solution, since it's both faster
    and works when a web server isn't installed.

2.  Use another port, e.g. "http://localhost:666/usr/doc/";. Access
    must be restricted to localhost and the port should be below 1024
    to ensure that no untrusted user on the system can start a web
    server on that port if the admin hasn't done so.

/Martin
---------------------------------------
Received: (at 23661-done) by bugs.debian.org; 28 Mar 2004 15:45:29 +0000
>From aba@not.so.argh.org Sun Mar 28 07:45:29 2004
Return-path: <aba@not.so.argh.org>
Received: from mail-in.m-online.net [62.245.150.237] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B7cTY-0007Po-00; Sun, 28 Mar 2004 07:45:28 -0800
Received: from mail.m-online.net (svr14.m-online.net [192.168.3.144])
	by svr8.m-online.net (Postfix) with ESMTP id 6FA634BF4E;
	Sun, 28 Mar 2004 17:45:27 +0200 (CEST)
Received: from sol.so.argh.org (ppp-82-135-4-50.mnet-online.de [82.135.4.50])
	by mail.m-online.net (Postfix) with ESMTP id 2A8636AA10;
	Sun, 28 Mar 2004 17:45:27 +0200 (CEST)
Received: from aba by sol.so.argh.org with local (Exim 4.22 #1 (Debian) [+prerelease])
	id 1B7cTW-00076R-AV; Sun, 28 Mar 2004 17:45:26 +0200
Date: Sun, 28 Mar 2004 17:45:26 +0200
From: Andreas Barth <aba@not.so.argh.org>
To: 23661-done@bugs.debian.org, 27205-done@bugs.debian.org,
	33251-done@bugs.debian.org, 36151-done@bugs.debian.org,
	37999-done@bugs.debian.org, 39125-done@bugs.debian.org,
	42870-done@bugs.debian.org, 43724-done@bugs.debian.org,
	51473-done@bugs.debian.org, 54985-done@bugs.debian.org,
	62768-done@bugs.debian.org, 63598-done@bugs.debian.org,
	65578-done@bugs.debian.org, 71805-done@bugs.debian.org,
	78014-done@bugs.debian.org, 79541-done@bugs.debian.org,
	82595-done@bugs.debian.org, 83669-done@bugs.debian.org,
	85500-done@bugs.debian.org, 88058-done@bugs.debian.org,
	100586-done@bugs.debian.org, 101162-done@bugs.debian.org,
	102917-done@bugs.debian.org, 109171-done@bugs.debian.org,
	119559-done@bugs.debian.org, 191036-done@bugs.debian.org,
	197835-done@bugs.debian.org
Subject: Has been fixed for more than six month
Message-ID: <20040328154526.GD25294@mails.so.argh.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Editor: Vim http://www.vim.org/
Delivered-To: 23661-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Hi,

this bug was set to the status "fixed" more than six month ago, so I'm
closing it now. For an announcement of this, see
http://lists.debian.org/debian-policy/2004/debian-policy-200403/msg00042.html


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to:

Prev by Date: Bug#191036: marked as done ([OLD PROPOSAL] create /run for programs that run before /var is mounted)
Next by Date: Bug#36151: marked as done ([GUIDELINE] /etc/init.d scripts should specify an explicit PATH)
Previous by thread: Bug#191036: marked as done ([OLD PROPOSAL] create /run for programs that run before /var is mounted)
Next by thread: Bug#36151: marked as done ([GUIDELINE] /etc/init.d scripts should specify an explicit PATH)
Index(es):
- Date
- Thread