On Fri, 12 Mar 2010 10:10 -0800, "patrick keshishian" <pkesh...@gmail.com> wrote: > does disabling this option /really/ improve security?
No, not unless you consider keeping files that are inappropriately/accidentally copied to these directories a security issue. It seems inline with OpenBSD's off by default posture, that is the only reason I suggested it. > On Fri, Mar 12, 2010 at 9:41 AM, Brad Tilley <b...@16systems.com> wrote: > > When ran against default OpenBSD servers that have Apache enabled, > > vulnerability assessment software (Nessus, Rapid7, etc.) complain about > > "browesable web directories". The concern is that someone may > > accidentally place inappropriate files in the web directories that will > > then be visible to others. Would it be a good idea to remove the Indexes > > option from httpd.conf? Admins may enable the option later if they like: > > > > # cvs diff -Nup httpd.conf > > Index: httpd.conf > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v > > retrieving revision 1.26 > > diff -N -u -p httpd.conf > > --- httpd.conf 3 Jun 2009 18:28:21 -0000 1.26 > > +++ httpd.conf 12 Mar 2010 17:39:06 -0000 > > @@ -396,7 +396,7 @@ DocumentRoot "/var/www/htdocs" > > # Note that "MultiViews" must be named *explicitly* --- "Options All" > > # doesn't give it to you. > > # > > - Options Indexes FollowSymLinks > > + Options FollowSymLinks > > > > # > > # This controls which options the .htaccess files in directories can > > @@ -601,7 +601,7 @@ CustomLog logs/access_log common > > Alias /icons/ "/var/www/icons/" > > > > <Directory "/var/www/icons"> > > - Options Indexes MultiViews > > + Options MultiViews > > AllowOverride None > > Order allow,deny > > Allow from all
