Package: apache2
Version: 2.4.59-1~deb12u1
Hi,
I *think* the comment above the <Directory> directive is misleading in
the default /etc/apache2/apache2.conf:
--- 8< ---
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and
/var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
--- 8< ---
Placing a symlink pointing e.g. to /etc in the /var/www/html/ directory
(e.g. 'ln -s /etc /var/www/html/foo') happily shows the content of /etc/
when accessing http://<server address>/foo while the comment above
suggests it doesn't. From apache2 documentation this is expected(?) so I
think the comment in the configuration file is misleading. I *guess*
this is not limited to the current version.
Regards,
Oliver
