Bug 621133 - Misleading comment in httpd.conf
Misleading comment in httpd.conf
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
13
All Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-04 07:05 EDT by Dave McNeill
Modified: 2010-08-04 09:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-04 09:09:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave McNeill 2010-08-04 07:05:51 EDT
The default httpd.conf installed with the Red Hat httpd RPM contains a <Directory /> clause as follows:

# First, we configure the "default" to be a very restrictive set of 
# features.  
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

This is clearly a modified version of the equivalent clause in the vanilla 2.2.15 sources:

# First, we configure the "default" to be a very restrictive set of 
# features.  
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

The difference is that the directives which implement the restrictive set of features have been removed from the RPM version. Can I suggest that the comment in the RPM version is changed to something like this:

# First, we configure the "default" to be a very liberal set of features.
# You should consider changing these before putting your HTTP server into
# production.
Comment 1 Joe Orton 2010-08-04 09:09:58 EDT
You're conflating "features" and "access control".  This section of the config was inherited from upstream verbatim, though it's since been modified upstream.  It disables "features" - Options and AllowOverride, restricting such config "features" is not inconsistent with an absence of access control restrictions.

A broader review of our httpd.conf vs upstream would certainly be welcome, considering impact of changes like this on any shipped webapps (e.g. doing as you suggest would break people using /srv which is not really desirable).  I'd rather have this discussion on the devel@ list rather than in bugzilla.

Note You need to log in before you can comment on or make changes to this bug.