httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: Proposal for Improviing the Security Docs
Date Mon, 17 Sep 2001 15:41:29 GMT


> -----Original Message-----
> From: Allan Liska [mailto:allan@allan.org]
> On Mon, 17 Sep 2001, Rich Bowen wrote:
> > Yes. The documentation should be the one location where folks need to
> > look for information on how to run the Apache server. There are cases
> > where off-site links may be appropriate, but I tend to think that the
> > docs should be comprehensive.
>
> Okay...that makes sense, so then explaining to people how to chmod and
> chroot is not outside the realm of this documentation?  Also, are there
> enough people on this list comfortable in their system security knowledge
> to review any documents presented, to ensure there are no errors...or
> really bad ideas :)?

I believe that explaining in detail how chmod works is out of scope.
Explaining what the permissions should be, and then including a brief
example of how to set them would be appropriate.  Information on where to go
to find out more on "the basics" might also be good; even directing people
to "man chmod" might be appropriate in some circumstances.

> Security experts, like most experts, rarely agree on anything :).  Some
> would say it is important to hide possible exploits to prevent people from
> using them, others would say the more information the better, as it
> protects administrators.  I am certainly not proposing that we publish
> scripts to help people take advantage of any exploits, but people ought to
> be aware.

My opinion is that a security doc should contain the following advice:
- When installing a new server, always use the most recent available stable
version.
- Subscribe to the announce@apache.org mailing list.  The Apache Server
Project will send information on any known security problems and version
upgrades to this list.
- Subscribe to the analagous list for your operating system vendor, and for
any third-party modules that you use.

In the past, there has been a document at
http://httpd.apache.org/info/known_bugs.html
listing the known bugs (including security-related ones) in each version.
This has not, unfortuantely, been kept up to date in the last years.  If
someone has time on their hands, it could be reconstructed by looking at the
Announcement file in CVS and at the CHANGES file and picking out the major
bugs in each version.

If you wanted to include links to a couple reliable security sites, that
might also be appropriate.

Joshua.


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org


Mime
View raw message