Hello, (please keep replies limited to -devel; I'd just like to point relevant maintainers to this thread)
I'd like to discuss a change related to the default document root for HTTP servers in Debian. On behalf of the Apache maintainers I consider this change a worthwhile idea, but we would like to reach consensus among developers in general and HTTP server maintainers in particular before pushing any change. Currently, all web servers (as far as I am aware) are being installed with the default document root pointing to /var/www. Let me point out this change is _not_ going to affect existing web application packages - these are already installed to /usr/share/application (or similar) and are typically configured as an overlay alias into the web server (e.g. by using a global /packagename alias or whatever the preferred methodology for a particular web server is). Thus this change does not have any effects on existing packages in Debian (with one exception, see below). First, consider the status quo: * Local site administrators tend to put virtual hosts into /var/www/sitename/htdocs or something similar. Nonetheless the default configuration for several web servers allows access to /var/www directly. Thus, an attacker could potentially access sensitive data by connecting to the default virtual host instead of the configured site unless in some scenarios unless the default configuration was modified/disabled. Consider reading #340947 for more background. * Using /var/www as document root violates the File Hierarchy Standard. /var is suggested to be used for "spool directories and files, administrative and logging data, and transient and temporary files". Unless I'm missing something there is no better location for HTTP documents mentioned within the FHS. Note /srv can't be used either as no path hierarchy is specified for /srv (e.g. think of /srv/www) and we really do not want to serve the entire /srv hierarchy as a document root either. * No package should be using /var/www directly (as per policy §11.5). However, there is one counter-example: dspam (binary package: dspam-webfrontend). They rely on suexec which in turn requires a compiled-in physical path which is not configurable. See #555129 for more background. You can see, there is no ideal solution. Thus, I'd like to do a rather conservative change to switch the default document root for HTTP servers from /var/www to /var/www/html. This would not need any changes to the policy and it would not solve the FHS discrepancy. However, it would come over the remaining problems: * Users can put sensitive data into /var/www, /var/www/whatever. * Packages can put their configuration into /var/www/packagename if /usr/share/packagename is not possible with a slight decreased risk of unwanted side-effects. * Compatibility to programs relying on suexec remains intact. * Average users do not need to disable/edit the default configuration and they do not need to worry about sensitive information disclosed by accidentally matching last-resort catch-all name based hosts anymore. Thus, to summarize once again: I'd like to change the default directory served by web servers from /var/www to /var/www/html along with remaining web servers in Debian. Comments? -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
signature.asc
Description: OpenPGP digital signature
