[Pkg-erlang-devel] Bug#730381: Bug#730381: yaws: Please change the default document root to /var/www/html
Sergei Golovan
sgolovan at nes.ru
Sun Nov 24 16:36:22 UTC 2013
severity 730381 wishlist
tags 730381 + wontfix
thanks
Hi Arno,
On Sun, Nov 24, 2013 at 6:50 PM, <arno at debian.org> wrote:
>
> as discussed last year in <4F8A1567.80906 at debian.org> [1] I'd now
> take the current development cycle to actually change the default
> Document Root in Debian's http servers. The reasons are outlined in
> the referenced mailing list thread, but once again, in short:
>
> Our webservers set the default document root to /var/www, whereas
> site-local administrators tend to use /var/www/example.com. This has
> security implications if visitors access the default document root,
> bypassing the /supposed/ document root of example.com. That's
> problematic if sensitive data is placeѕ outside the supposed
> document root (e.g. consider a hypothetical
> /var/www/example-com-db.conf configuration file).
YAWS doesn't use /var/www as the default document root as for now. It
is shipped with two virtual server configurations, both for localhost
(with and without SSL), so they are suitable only to provide examples.
Both use /usr/share/yaws document root which doesn't have a security
problem, so I don't want to change this.
Cheers!
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list