Your message dated Mon, 08 Jun 2015 15:16:36 +0000 with message-id <[email protected]> and subject line Re: apache2-mpm-prefork: Prevent some files and folders from being viewed o clients. has caused the Debian Bug report #681283, regarding apache2-mpm-prefork: Prevent some files and folders from being viewed o clients. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 681283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681283 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apache2-mpm-prefork Version: 2.2.16-6+squeeze7 Severity: minor This builds on what already exists in httpd.conf. <Files ~ "^\.(ht|ssh)"> Order allow,deny Deny from all Satisfy all </Files> AliasMatch /\.(ht|ssh) /non-existant-page The AliasMatch may seam to overrid the first part, but I though that it may be commented by default. The goal here is to allow the www-data user to have a non-existant .ssh configuration with un-password protected private keys to be used in accessing remote git repositories(gitolite/Ruby-Passanger/GitLab) omong other things. I also request that since /var/www is this users home folder AND also DocumentRoot that usual user configuration files be added to this list. It may seam prudent to simply seperate the two, however at this point I'd say that you may be breaking a known convention. Thus I wouldn't recommend that. Other files I was thinking of: .Xauthority .procmailrc .gnupg Mail|Maildir (perhaps) .rnd .pulse(|-cookie) .bash_history .gconf .config .cache .ecryptfs .subversion .(gnome2|gnome) .gconfd .bazaar .dbus Plus commented rules to hide or secure common RCS folders and files: ,v$ /CVS /RCS ...ect. -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic auth_kerb authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env expires mime negotiation passenger php5 reqtimeout rewrite setenvif List of enabled php5 extensions: pdo pdo_pgsql pgsql suhosin -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (907, 'stable'), (906, 'stable'), (905, 'stable'), (904, 'stable'), (903, 'stable'), (902, 'stable'), (330, 'testing'), (320, 'testing'), (310, 'testing'), (230, 'testing-proposed-updates'), (220, 'testing-proposed-updates'), (210, 'testing-proposed-updates') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages apache2-mpm-prefork depends on: ii apache2.2-bin 2.2.16-6+squeeze7 Apache HTTP Server common binary f ii apache2.2-common 2.2.16-6+squeeze7 Apache HTTP Server common files apache2-mpm-prefork recommends no packages. apache2-mpm-prefork suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Hello > This builds on what already exists in httpd.conf. > <Files ~ "^\.(ht|ssh)"> > Order allow,deny > Deny from all > Satisfy all > </Files> > AliasMatch /\.(ht|ssh) /non-existant-page > > The AliasMatch may seam to overrid the first part, but I though that > it may be commented by default. The goal here is to allow the www-data > user to have a non-existant .ssh configuration with un-password protected > private keys to be used in accessing remote git > repositories(gitolite/Ruby-Passanger/GitLab) omong other things. > > I also request that since /var/www is this users home folder AND > also DocumentRoot that usual user configuration files be added to > this list. It may seam prudent to simply seperate the two, however at > this point I'd say that you may be breaking a known convention. Thus > I wouldn't recommend that. > > Other files I was thinking of: > .Xauthority > .procmailrc > .gnupg > Mail|Maildir (perhaps) > .rnd > .pulse(|-cookie) > .bash_history > .gconf > .config > .cache > .ecryptfs > .subversion > .(gnome2|gnome) > .gconfd > .bazaar > .dbus > > Plus commented rules to hide or secure common RCS folders and files: > ,v$ > /CVS > /RCS > ...ect. Since apache 2.4, Debian default DocumentRoot is /var/www/html and is different from www-data home directory (/var/www). This enables you to have a /var/www/.ssh/ directory that is not served by the server. This also take cares of the examples you quoted above. Also, /etc/apache2/conf-available/security.conf now contains: # Forbid access to version control directories # # If you use version control systems in your document root, you should # probably deny access to their directories. For example, for # subversion: # #<DirectoryMatch "/\.svn"> # Require all denied #</DirectoryMatch> These are only comments, as you suggested, but it gives the administrator a good hint about how to protect theses. So I believe what you asked is done. Therefore, I am closing that bug report. Fell free to reopen if you have more specific issues. -- Nirgal
--- End Message ---
