Ubuntu

Disabling the default virtual host disables options on the root directory ('/').

Reported by Andrew Glen-Young on 2009-02-20
4
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: apache2-common

Problem:

Disabling the default virtual host enables 'AllowOverride All' for the root ('/') directory and disables 'FollowSymlinks'.
This effects (at least) Hardy and Intrepid's versions of Apache2.

Overview:

The default Apache virtual host (/etc/apache2/sites-available/default) has a 'Directory' option for the root directory (see below). By disabling the default virtual host these directives and the protections they offer are removed.

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

Applying options to the root directory should probably not be delegated to this virtual host, even if the assumption is that the virtual host will not be disabled.

Moving this section to /etc/apache2/apache2.conf file will not alter the default configuration of the web server and will still protect the root directory even if the default virtual host is removed.

Solution:

Move the 'Directory' directive for the root directory from the default virtual host file to the apache2.conf file (probably above the 'AccessFileName' directives).

description: updated
Andreas Olsson (andol) wrote :

I agree. <Directory /> ... </Directory> really should be set globally.

That said I'm not sure if this is a critical issue. Perhaps a more natural place to have this fix would be in the Debian package which Ubuntu inheritate?

Changed in apache2:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers