Return-Path: 
 <apache-docs-return-2026-apmail-apache-docs-archive=apache.org@apache.org>
Delivered-To: apmail-apache-docs-archive@apache.org
Received: (qmail 91077 invoked by uid 500); 17 Sep 2001 13:08:42 -0000
Mailing-List: contact apache-docs-help@apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:apache-docs-help@apache.org>
list-unsubscribe: <mailto:apache-docs-unsubscribe@apache.org>
list-post: <mailto:apache-docs@apache.org>
Reply-To: apache-docs@apache.org
Delivered-To: mailing list apache-docs@apache.org
Received: (qmail 91068 invoked from network); 17 Sep 2001 13:08:41 -0000
Date: Mon, 17 Sep 2001 09:00:53 -0400 (EDT)
From: Allan Liska <allan@allan.org>
X-X-Sender: <allan@ns1.vbind.com>
To: <apache-docs@apache.org>
Subject: Re: Proposal for Improviing the Security Docs
In-Reply-To: <Pine.LNX.4.33.0109170718340.2798-100000@rhiannon.rcbowen.com>
Message-ID: <Pine.LNX.4.33.0109170840480.1423-100000@ns1.vbind.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N


Rich,

Thanks for your comments, please see my answers in-line...

On Mon, 17 Sep 2001, Rich Bowen wrote:

> On Sun, 16 Sep 2001, Allan Liska wrote:
>
> > Hello,
> >
> >   As I mentioned earlier this week, I would like to try to improve the
> >   layout of the security docs.  I'd really like feedback from people
> >   on this list as to how in-depth the documents should go.  As an
> >   example, should we explain how to set permissions for optimal
> >   security in an Apache root directory?
>
> Yes. The documentation should be the one location where folks need to
> look for information on how to run the Apache server. There are cases
> where off-site links may be appropriate, but I tend to think that the
> docs should be comprehensive.
>

Okay...that makes sense, so then explaining to people how to chmod and
chroot is not outside the realm of this documentation?  Also, are there
enough people on this list comfortable in their system security knowledge
to review any documents presented, to ensure there are no errors...or
really bad ideas :)?


> >   There is also the problem of duplication.  If we are going to
> >   discuss Server Side Includes we obviously have to mention
> >   mod_include, but should we also discuss access control using
> >   mod_access, or is that too much overlap?
>
> Because we have the docs in HTML, duplication should not be necessary.
> Fill in the additional detail in whichever doc it is appropriate, and
> provide links.
>


Another good point.  I don't know that it is something that even needs to
be filled in, it is probably more appropriate just to put links to the
existing sections, and let readers figure things out from the information
in those documents.  If this doesn't make sense, maybe I should put
together a sample document on something like Server Side Includes this
week and submit it to the list so I can provide a more clear example?


> >   Finally, I would really like to see, at least links if not brief
> >   descriptions of Apache security exploits.  I know that information
> >   is available on the site, but I would assume people would go to the
> >   security section to get that information as well.
>
> I'd be a little wary of this one. What is the reasoning behind this?
> It's almost as though you're providing a resource for folks that want to
> take advantage of the security exploits. You check on Netcraft ... Ah,
> they are running 1.3.9 ... tap tap tap ... Oh, look, there's a security
> exploit in 1.3.9 ... tap tap tap ... great, now I have root. Or
> whatever. Is this something that is generally recommended by security
> experts?
>
>

Security experts, like most experts, rarely agree on anything :).  Some
would say it is important to hide possible exploits to prevent people from
using them, others would say the more information the better, as it
protects administrators.  I am certainly not proposing that we publish
scripts to help people take advantage of any exploits, but people ought to
be aware.

To see the type of postings I am talking about take a look at this link on
LinuxSecurity.com:

http://www.linuxsecurity.com/advisories/redhat_advisory-820.html

Apache has traditionally posted this type of information on its website as
well:

http://httpd.apache.org/info/security_bulletin_1.2.5.html

Of course Apache is such a stable and secure product that there are very
few security exploits to report.  There are exploits in various ports of
Apache though...again that returns to the question: If posting security
information is a good idea, should we post information about security
vulnerabilities in modified distributions?

Thanks again for the excellent comments from everyone.  I really
appreciate any feedback.


allan
-- 
Allan Liska
allan@allan.org
http://www.allan.org


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org