Martin Stjernholm wrote: > Section 4.4 item 2 in the Debian Policy Manual implies that /usr/doc > should be made accessible by a web server. It's not mentioned there > that it would introduce a security weakness if access to those files > isn't restricted to localhost. Almost every package puts files under > /usr/doc, which, if access is unrestricted, makes it possible for > anyone on the network to do a very detailed scan of the installed > software on the computer, including version information in most cases. > This sort of info is a great help for an attacker to choose an > appropriate method to get into the system.
Interestingly, I brought this up when we formulated the policy, and was informed that I was just worrying about "security through obscurity" and it wouldn't do any good. -- see shy jo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
