On Tue, 20 Jun 2000, Julian Gilbey wrote: > Here's an issue. About two years ago there was a proposal that the > default httpd setup should not allow /usr/doc to be remotely > accessible, as it's a huge security risk. (Yes, we're talking about a > small amount of "security through obscurity" here, but we don't need > to hand crackers this information on a golden plate.) > > Nothing appears to have been done about it. > > Where do we go from here? Do we steam ahead and make it policy or > what? Are there any good reasons why this *shouldn't* be done?
I guess it depends somewhat on what you mean by `remotely'. I suspect you mean "anything other than the localhost". I can think of one situation for which this is inconvenient. If I set up a local net full of debian machines, only one of which is running a web server, this change would prevent me from using the web to browse the docs from all the machines but one. I won't argue that this is a "good" reason not to make the change. It is not a tremendous burden on the admin to fix up, but a note somewhere (`README.Debian'? :-)) on how to enable access for a local network would not be amiss. -Steve
