Package: debian-policy Version: 2.4.1.1 Severity: important Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc should be made accessible by a web server. It's not mentioned there that it would introduce a security weakness if access to those files isn't restricted to localhost. Almost every package puts files under /usr/doc, which, if access is unrestricted, makes it possible for anyone on the network to do a very detailed scan of the installed software on the computer, including version information in most cases. This sort of info is a great help for an attacker to choose an appropriate method to get into the system.
An example is the dhttpd web server package, which has this problem (see #23659). I haven't checked the other web server packages. I suggest the manual be more clear on this, and that it states clearly that a web server package shouldn't provide access through http://localhost/doc/ if it can't do it securely. Moreover, I'm sceptic to the whole concept of providing documentation access on the standard http port; it's a service much like anonymous ftp, and as such the user should have complete and explicit control over the information it provides (well, a harmless example homepage could be excused). Even though a web server properly restricts access, it's still a limitation of the namespace available to the user; (s)he can't use /doc/... in any URL without having to break Debian policy (at least for local users). I can see two solutions: 1. Use "file://localhost/usr/doc/" instead. I don't know whether this is a strictly valid URL or if it's supported by all browsers, but otherwise I believe it's the best solution, since it's both faster and works when a web server isn't installed. 2. Use another port, e.g. "http://localhost:666/usr/doc/";. Access must be restricted to localhost and the port should be below 1024 to ensure that no untrusted user on the system can start a web server on that port if the admin hasn't done so. /Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
