Date: Wed, 19 Jun 2002 15:42:40 -0600 From: Brett Glass <brett@lariat.org> To: Jason DiCioccio <jd@epylon.com>, Jan Lentfer <Jan.Lentfer@web.de>, <freebsd-security@FreeBSD.ORG> Subject: Re: Apache 1.3.26 port Message-ID: <4.3.2.7.2.20020619153728.02374d30@localhost> In-Reply-To: <B936423A.2B5C%jd@epylon.com> References: <4.3.2.7.2.20020619150748.0236b1d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
P.S. -- While Apache's own "make install" is gentler on your data files than the current port, one thing it does that is *not* good, and persists in the port, is install things, out of the box, that the administrator might not want. For example, it always installs its own documentation and makes it publicly available from your server. A security risk? Probably not, but still not a good thing. Even experienced admins, such as the administrators of the FreeBSD Web site, often don't catch this problem. For example, if you go to http://www.freebsd.org/manual/ you will find -- guess what? -- the Apache manual, not a FreeBSD manual as you might expect. Apache's default httpd.conf creates an alias for its documentation at this location unless you edit the alias out of httpd.conf. The FreeBSD port/package of Apache should, IMHO, turn this off. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020619153728.02374d30>