Discussion:
Changing the default document root for HTTP server
Arno Töll
2012-04-15 00:25:11 UTC
Permalink
Hello,
(please keep replies limited to -devel; I'd just like to point relevant
maintainers to this thread)

I'd like to discuss a change related to the default document root for
HTTP servers in Debian. On behalf of the Apache maintainers I consider
this change a worthwhile idea, but we would like to reach consensus
among developers in general and HTTP server maintainers in particular
before pushing any change.

Currently, all web servers (as far as I am aware) are being installed
with the default document root pointing to /var/www. Let me point out
this change is _not_ going to affect existing web application packages -
these are already installed to /usr/share/application (or similar) and
are typically configured as an overlay alias into the web server (e.g.
by using a global /packagename alias or whatever the preferred
methodology for a particular web server is). Thus this change does not
have any effects on existing packages in Debian (with one exception, see
below).

First, consider the status quo:

* Local site administrators tend to put virtual hosts into
/var/www/sitename/htdocs or something similar. Nonetheless the default
configuration for several web servers allows access to /var/www
directly. Thus, an attacker could potentially access sensitive data by
connecting to the default virtual host instead of the configured site
unless in some scenarios unless the default configuration was
modified/disabled. Consider reading #340947 for more background.

* Using /var/www as document root violates the File Hierarchy Standard.
/var is suggested to be used for "spool directories and files,
administrative and logging data, and transient and temporary files".

Unless I'm missing something there is no better location for HTTP
documents mentioned within the FHS. Note /srv can't be used either as no
path hierarchy is specified for /srv (e.g. think of /srv/www) and we
really do not want to serve the entire /srv hierarchy as a document root
either.

* No package should be using /var/www directly (as per policy §11.5).
However, there is one counter-example: dspam (binary package:
dspam-webfrontend). They rely on suexec which in turn requires a
compiled-in physical path which is not configurable. See #555129 for
more background.


You can see, there is no ideal solution. Thus, I'd like to do a rather
conservative change to switch the default document root for HTTP servers
from /var/www to /var/www/html. This would not need any changes to the
policy and it would not solve the FHS discrepancy. However, it would
come over the remaining problems:

* Users can put sensitive data into /var/www, /var/www/whatever.
* Packages can put their configuration into /var/www/packagename if
/usr/share/packagename is not possible with a slight decreased risk of
unwanted side-effects.
* Compatibility to programs relying on suexec remains intact.
* Average users do not need to disable/edit the default configuration
and they do not need to worry about sensitive information disclosed by
accidentally matching last-resort catch-all name based hosts anymore.

Thus, to summarize once again: I'd like to change the default directory
served by web servers from /var/www to /var/www/html along with
remaining web servers in Debian.

Comments?
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
Daniel Baumann
2012-04-15 05:45:12 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/srv can't be used either as no path hierarchy is specified for
/srv (e.g. think of /srv/www) and we really do not want to serve
the entire /srv hierarchy as a document root either.
packages should have a debconf question for the document root,
defaulting to /srv/wwww, and create the directory where necessary (see
'/srv/tftp' handling in tftpd-hpa).

- --
Address: Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email: ***@progress-technologies.net
Internet: http://people.progress-technologies.net/~daniel.baumann/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+KYGgACgkQ+C5cwEsrK56CnwCfZX1U0Fgep6y7SCQNXWdvkzBv
hrsAoLFedwX7UccQ4nNJc8g0Ku7Lsd5y
=jLd9
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-apache-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@progress-technologies.net
Marco d'Itri
2012-04-15 10:08:44 UTC
Permalink
Post by Daniel Baumann
packages should have a debconf question for the document root,
No, because this would require making every package significantly more
complex. Not just because of asking the question, but the configuration
files would not be conffiles anymore.
And it would be a pointless exercise, since for most people either the
name does not really matter or they need to change it anyway to manage
virtual hosts.

I think /var/www/<anything> is OK.
--
ciao,
Marco
Thomas Goirand
2012-04-15 11:07:05 UTC
Permalink
Post by Arno Töll
Thus, to summarize once again: I'd like to change the default directory
served by web servers from /var/www to /var/www/html along with
remaining web servers in Debian.
Comments?
I support this.

Thomas

Loading...