The default httpd.conf installed with the Red Hat httpd RPM contains a <Directory /> clause as follows: # First, we configure the "default" to be a very restrictive set of # features. # <Directory /> Options FollowSymLinks AllowOverride None </Directory> This is clearly a modified version of the equivalent clause in the vanilla 2.2.15 sources: # First, we configure the "default" to be a very restrictive set of # features. # <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory> The difference is that the directives which implement the restrictive set of features have been removed from the RPM version. Can I suggest that the comment in the RPM version is changed to something like this: # First, we configure the "default" to be a very liberal set of features. # You should consider changing these before putting your HTTP server into # production.
You're conflating "features" and "access control". This section of the config was inherited from upstream verbatim, though it's since been modified upstream. It disables "features" - Options and AllowOverride, restricting such config "features" is not inconsistent with an absence of access control restrictions. A broader review of our httpd.conf vs upstream would certainly be welcome, considering impact of changes like this on any shipped webapps (e.g. doing as you suggest would break people using /srv which is not really desirable). I'd rather have this discussion on the devel@ list rather than in bugzilla.