From owner-freebsd-security  Wed Jun 19 14:43: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 56A7137B40E
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 Jun 2002 14:42:53 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id PAA24638;
	Wed, 19 Jun 2002 15:42:44 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020619153728.02374d30@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 19 Jun 2002 15:42:40 -0600
To: Jason DiCioccio <jd@epylon.com>,
	Jan Lentfer <Jan.Lentfer@web.de>, <freebsd-security@FreeBSD.ORG>
From: Brett Glass <brett@lariat.org>
Subject: Re: Apache 1.3.26 port
In-Reply-To: <B936423A.2B5C%jd@epylon.com>
References: <4.3.2.7.2.20020619150748.0236b1d0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

P.S. -- While Apache's own "make install" is gentler on your data
files than the current port, one thing it does that is *not* good,
and persists in the port, is install things, out of the box, that the 
administrator might not want. For example, it always installs its own 
documentation and makes it publicly available from your server. A 
security risk? Probably not, but still not a good thing. Even experienced 
admins, such as the administrators of the FreeBSD Web site, often don't 
catch this problem. For example, if you go to

http://www.freebsd.org/manual/

you will find -- guess what? -- the Apache manual, not a FreeBSD
manual as you might expect. Apache's default httpd.conf creates an 
alias for its documentation at this location unless you edit the
alias out of httpd.conf. The FreeBSD port/package of Apache should,
IMHO, turn this off.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message