diff options
| author | Arno Töll <arno@debian.org> | 2013-06-08 17:51:58 +0200 |
|---|---|---|
| committer | Arno Töll <arno@debian.org> | 2013-06-08 17:51:58 +0200 |
| commit | 2adb1c65407a37009b3e11129d04e668fa6ba31a (patch) | |
| tree | 4457d4998a47cb71e9adc8a7c0a601e0727d614c | |
| parent | df2364aa7e19e0301e61c9d06cf970279f6e1762 (diff) | |
| download | apache2-2adb1c65407a37009b3e11129d04e668fa6ba31a.tar.gz | |
Adapt our NEWS file and explain our security model
| -rw-r--r-- | debian/apache2.NEWS | 5 | ||||
| -rw-r--r-- | debian/config-dir/apache2.conf | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS index df2e464e..8e195dc3 100644 --- a/debian/apache2.NEWS +++ b/debian/apache2.NEWS @@ -20,6 +20,11 @@ apache2 (2.4.1-1) experimental; urgency=low a2dismod mpm_worker a2enmod mpm_prefork + We did change the security model for Apache in our default configuration. We + do not allow access to the file system outside /var/www, /srv and /usr/share. + If you are running virtual hosts or scripts outside these directories, you + need to whitelist them in your configuration to grant access through HTTP. + Moreover, the configuration mechanism in Debian has changed. All configurations in sites-enabled and conf-enabled need a ".conf" suffix now. The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf index 9411bc27..fad3af3b 100644 --- a/debian/config-dir/apache2.conf +++ b/debian/config-dir/apache2.conf @@ -145,7 +145,7 @@ Include ports.conf # Sets the default security model of the Apache2 HTTPD server. It does -# not allow access to the root filesystem outside of /usr/share and +# not allow access to the root filesystem outside of /usr/share, /srv and # /var/www. The former is used by web applications packaged in Debian, # the latter may be used for local directories served by the web server. <Directory /> |