From a6fd25c46f4e27ef2923977beb0c18e505176395 Mon Sep 17 00:00:00 2001
From: Arno Töll <arno@debian.org>
Date: Sun, 24 Nov 2013 16:09:43 +0100
Subject: Change the default document root to /var/www/html

---
 debian/apache2.NEWS                                | 8 ++++++++
 debian/apache2.dirs                                | 2 +-
 debian/apache2.postinst                            | 2 +-
 debian/changelog                                   | 4 +++-
 debian/config-dir/sites-available/000-default.conf | 2 +-
 debian/config-dir/sites-available/default-ssl.conf | 2 +-
 debian/index.html                                  | 8 ++++----
 7 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS
index 75be4ce3..b4141511 100644
--- a/debian/apache2.NEWS
+++ b/debian/apache2.NEWS
@@ -34,6 +34,14 @@ apache2 (2.4.1-1) unstable; urgency=low
   allow access to your served directory explicity in the corresponding virtual
   host, or by allowing access in apache2.conf as proposed.
 
+  Along the security model, we did also change the default Document Root, files
+  are served from. Previous releases served /var/www by default when no other
+  virtual host matched the request. Starting with this release, we changed the
+  default document root to /var/www/html, so that sensitive files from other
+  virtual hosts wich are typically put into some directory below /var/www are
+  not exposed by the default virtual host. This change further improves the out
+  of box security.
+
   Moreover, the configuration mechanism in Debian has changed. All
   configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
   The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
diff --git a/debian/apache2.dirs b/debian/apache2.dirs
index 9ef4c246..531c08f3 100644
--- a/debian/apache2.dirs
+++ b/debian/apache2.dirs
@@ -8,5 +8,5 @@ usr/share/lintian/overrides
 var/cache/apache2
 var/cache/apache2/mod_cache_disk
 var/log/apache2
-var/www
+var/www/html
 usr/share/bug/apache2
diff --git a/debian/apache2.postinst b/debian/apache2.postinst
index f32cc54e..3704f779 100644
--- a/debian/apache2.postinst
+++ b/debian/apache2.postinst
@@ -283,7 +283,7 @@ install_default_files()
 			! -e /var/www/index.php   -a \
 			! -e /var/www/index.xhtml -a \
 			! -e /var/www/index.htm ] ; then
-				cp /usr/share/apache2/default-site/index.html /var/www/index.html
+				cp /usr/share/apache2/default-site/index.html /var/www/html/index.html
 		fi
 	fi
 }
diff --git a/debian/changelog b/debian/changelog
index fbfa0ee4..e9f29495 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -32,9 +32,11 @@ apache2 (2.4.6-4) UNRELEASED; urgency=low
   * Remove Steinar H. Gunderson from uploaders, he will continue to support
     itk in his own package in future. The remaining Apache team thanks Steinar
     for all the work in the past.
+  * Change the Default Document root directory where files are served from
+    (Closes: #730372).
 
 
- -- Arno Töll <arno@debian.org>  Thu, 07 Nov 2013 22:46:29 +0100
+ -- Arno Töll <arno@debian.org>  Sun, 24 Nov 2013 16:04:50 +0100
 
 apache2 (2.4.6-3) unstable; urgency=low
 
diff --git a/debian/config-dir/sites-available/000-default.conf b/debian/config-dir/sites-available/000-default.conf
index e3c973d7..cfe8df57 100644
--- a/debian/config-dir/sites-available/000-default.conf
+++ b/debian/config-dir/sites-available/000-default.conf
@@ -9,7 +9,7 @@
 	#ServerName www.example.com
 
 	ServerAdmin webmaster@localhost
-	DocumentRoot /var/www
+	DocumentRoot /var/www/html
 
 	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 	# error, crit, alert, emerg.
diff --git a/debian/config-dir/sites-available/default-ssl.conf b/debian/config-dir/sites-available/default-ssl.conf
index 25b20caf..432b9650 100644
--- a/debian/config-dir/sites-available/default-ssl.conf
+++ b/debian/config-dir/sites-available/default-ssl.conf
@@ -2,7 +2,7 @@
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
 
-		DocumentRoot /var/www
+		DocumentRoot /var/www/html
 
 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 		# error, crit, alert, emerg.
diff --git a/debian/index.html b/debian/index.html
index 5cad971a..854d44f4 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -224,7 +224,7 @@
                 operation of the Apache2 server after it has been installed on Debian systems.
                 If you can read this page, it means that the Apache HTTP server installed at
                 this site is working properly. You should <b>replace this file</b> (located at
-                <tt>/var/www/index.html</tt>) before continuing to operate your HTTP server.
+                <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
           </p>
         </div>
         <div class="section_header">
@@ -324,9 +324,9 @@
                 document root directory in <tt>/etc/apache2/apach2.conf</tt>.
             </p>
             <p>
-                XXX: Write here where to place additional doc roots/explain the
-                /var/www issue. This needs a decision on the doc root first,
-                though.
+                The default Debian document root is <tt>/var/www/html</tt>. You
+                can make your own virtual hosts under /var/www. This is different
+                to previous releases to provide better security out of the box.
             </p>
         </div>
 
-- 
cgit v1.2.3