Activity log for bug #332087

Date Who What changed Old value New value Message
2009-02-20 15:17:52 Andrew Glen-Young bug added bug
2009-02-20 16:53:54 Andrew Glen-Young description Binary package hint: apache2-common Problem: Disabling the default virtual host enables 'AllowOverride Any' for the root ('/') directory and disables 'FollowSymlinks'. This effects (at least) Hardy and Intrepid's versions of Apache2. Overview: The default Apache virtual host (/etc/apache2/sites-available/default) has a 'Directory' option for the root directory (see below). By disabling the default virtual host these directives and the protections they offer are removed. <Directory /> Options FollowSymLinks AllowOverride None </Directory> Applying options to the root directory should probably not be delegated to this virtual host, even if the assumption is that the virtual host will not be disabled. Moving this section to /etc/apache2/apache2.conf file will not alter the default configuration of the web server and will still protect the root directory even if the default virtual host is removed. Solution: Move the 'Directory' directive for the root directory from the default virtual host file to the apache2.conf file (probably above the 'AccessFileName' directives). Binary package hint: apache2-common Problem: Disabling the default virtual host enables 'AllowOverride All' for the root ('/') directory and disables 'FollowSymlinks'. This effects (at least) Hardy and Intrepid's versions of Apache2. Overview: The default Apache virtual host (/etc/apache2/sites-available/default) has a 'Directory' option for the root directory (see below). By disabling the default virtual host these directives and the protections they offer are removed. <Directory /> Options FollowSymLinks AllowOverride None </Directory> Applying options to the root directory should probably not be delegated to this virtual host, even if the assumption is that the virtual host will not be disabled. Moving this section to /etc/apache2/apache2.conf file will not alter the default configuration of the web server and will still protect the root directory even if the default virtual host is removed. Solution: Move the 'Directory' directive for the root directory from the default virtual host file to the apache2.conf file (probably above the 'AccessFileName' directives).
2009-03-03 01:40:03 Andreas Olsson apache2: status New Confirmed
2009-03-03 01:40:03 Andreas Olsson apache2: statusexplanation I agree. <Directory /> ... </Directory> really should be set globally. That said I'm not sure if this is a critical issue. Perhaps a more natural place to have this fix would be in the Debian package which Ubuntu inheritate?