Package: apache2-common Severity: wishlist Hi,
suexec's default configuration forces cgi-scripts to be in /var/www, even for virtual hosts. otoh, /etc/apache2/sites-available/default has a quite liberal access policy and would allow access to /var/www/www.foo.example/htdocs via the default virtual host, which might not be desireable. Please consider having a default definition for a "virtual host directory" like /var/www/virtual-hosts, which has "deny from all" set in /etc/apache2/sites-available/default in the package version of the conffile: <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place RedirectMatch ^/$ /apache2-default/ </Directory> <Directory /var/www/virtual-hosts> Order allow,deny deny from all </Directory> Then, /var/www/virtual-hosts/www.foo.example could be used as document root for a virtual host without having it accessible from the default virtual host, and suexec could be used. Greetings Marc -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14.2-zgsrv Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]