Ubuntu 24.04 apache2: misleading comment in default /etc/apache2/apache2.conf

Bug #2068641 reported by Oliver Weihe
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Debian)
apache2 (Ubuntu)

Bug Description


I *think* the comment above the <Directory> directive is misleading in the default /etc/apache2/apache2.conf:

--- 8< ---
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied

<Directory /usr/share>
        AllowOverride None
        Require all granted

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
--- 8< ---

Placing a symlink pointing e.g. to /etc in the /var/www/html/ directory (e.g. 'ln -s /etc /var/www/html/foo') happily shows the content of /etc/ when accessing http://<server address>/foo while the comment above suggests it doesn't. From apache2 documentation this is expected(?) so I think the comment in the configuration file is misleading. I *guess* this is not limited to the current version.


--- 8< ---
# lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
--- 8< ---
# apt-cache policy apache2
  Installed: 2.4.58-1ubuntu8.1
  Candidate: 2.4.58-1ubuntu8.1
  Version table:
 *** 2.4.58-1ubuntu8.1 500
        500 http://de.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.58-1ubuntu8 500
        500 http://de.archive.ubuntu.com/ubuntu noble/main amd64 Packages
--- 8< ---

Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

Hello Oliver,

Thank you for making this bug report!

This documentation is pulled directly from Debian which you can find at [0]. I think it'd be best to have a discussion about this with Debian. Would you be okay making this bug report with Debian as well?

[0] - https://salsa.debian.org/apache-team/apache2/-/blob/master/debian/config-dir/apache2.conf.in?ref_type=heads#L153

Changed in apache2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Oliver Weihe (oliverwe) wrote :

Hello Mitchell,

sure, I've verified that this behaviour is identical on a current Debian system and reported it.
reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072729

Changed in apache2 (Debian):
status: Unknown → New
Revision history for this message
Paride Legovini (paride) wrote :

Thanks for filing the Debian bug. I agree what the comment isn't very clear on the "Require all denied" vs "Options FollowSymLinks" precedente (which I believe is where the confusion lies).

Looks like things have been like this for a long time (apparently those lines have been the same for >10 years), so I'm giving this Low importance. Ideally it should be fixed on the Debian side, as Mitchell suggested.

Changed in apache2 (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.