> The default configuration file, apache2.conf, of apache2 should have the > following directory denying directive in apache2.conf instead of the > 000-default VirtualHost because if a VirtualHost is added and under that > VirtualHost's DocumentRoot the user makes a symlink to "/", he can > access the whole filesystem. > > Config lines to be added to /etc/apache2/apache2.conf: > > <Directory /> > Order Deny,Allow > Deny from all > </Directory>
I do think this is a good idea. I agree with Tollef that it's always possible to misconfigure a system, but it would be good if the system would try to prevent obvious mistakes in its default configurations. Allowing access to entire filesystem is hardly ever necessary. A default policy of denying access to the root filesystem therefore makes sense. The user can explicitly tell Apache which files *are* allowed. Mistakes will always be made, and if we can limit their damage, why not do it? Thijs
signature.asc
Description: This is a digitally signed message part