Bug 74174 - Configuration defaults to ill advised values
Configuration defaults to ill advised values
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: httpd (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-09-17 08:31 EDT by Rui Miguel Seabra
Modified: 2007-04-18 12:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-02 17:17:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rui Miguel Seabra 2002-09-17 08:31:46 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020606

Description of problem:
Many default values in redhat's apache's httpd.conf use ill advised values, for
instance, the defult value for Options should be None, then you just set an
extra option here and there as you really need.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
  * FollowSymLinks
    you immediately have ln -s /sentive/file fileOnTheWeb
  * Indexes
    potential directory disclosures
  * MultiViews
    potential bugs due to more complex code

  * ServerSignature On
    Shows too much info

  * ServerTokens OS
    Shows too much info

Additional info:

Some recommendations:
  * FollowSymLinks
    you immediately have ln -s /sentive/file fileOnTheWeb
    Change to: SymLinksIfOwnerMatch
    if you really have to use symlinks

  * Indexes
    potential directory disclosures
    Should not be used at all unless you expect it to do it.

  * MultiViews
    potential bugs due to more complex code

  * ServerSignature On
    Shows too much info, should be just Off

  * ServerTokens OS
    Shows too much info, should be just Prod so it would result in Server:
Apache (no version, no OS, no anything... just Apache)
Comment 1 Joe Orton 2004-05-02 17:17:31 EDT
Thanks for the suggestions. In general, our default httpd.conf stays
close to upstream except where we have particular reason to differ. 
So, if you can make your case upstream, you have a better chance of
getting these changed.

- "FollowSymlinks off" hurts performance since it adds many more stat
calls per request

- MultiViews has not been enabled in the docroot ever AFAICT.

- Indexes, ServerTokens, ServerSignature: these are all acceptable
trade-offs between usability and security.

Note You need to log in before you can comment on or make changes to this bug.