Quick review

Adam Conrad adconrad at ubuntu.com
Sun Apr 9 11:49:53 UTC 2006


Rocco Stanzione wrote:
> 
> Apache2: http://doc.ubuntu.com/ubuntu/serverguide/C/httpd.html

> sudo apt-get install apache2 apache2-common

I see this mistake over and over (and over) again in various Ubuntu
guides and HOWTOs, and I really thing we need to stop.  If apache2
depends on apache2-common (and yes, it does), then why on earth do we
complicate things by telling users to explicitly install both?  "apt-get
install apache2" would work just as well, and is much less confusing.

(I've seem people give recommendations like "apt-get install apache2
apache2-common apache2-mpm-worker apache2-utils", which just makes no
sense, unless you really feel the urge to be that explicit)

> sudo cp server.key server.crt /etc/apache2/ssl/
> sudo chmod 400 /etc/apache2/ssl/server.key /etc/apache2/ssl/server.crt
> sudo chown www-data /etc/apache2/ssl/server.key /etc/apache2/ssl/server.crt

I see two problems with this.  Number one, it would probably be best to
tell users to use /etc/ssl/{certs,private} for their certificate setup,
since this is what we do by default, and it keeps everything
cert-related in one neat, tidy, and easily securable place.

Problem number two, and this is much worse.  Never (never, EVER)
recommend that a user make a file owned by www-data.  You've just
allowed any CGI/PHP/etc script (including one exploited from a flaw in,
say, some user's bulletin board system) to read/overwrite and otherwise
abuse that file.

Apache reads all certificates at startup as root, before it drop
privileges, so there's no need to have certs and keys readable by the
www-data user at all.  Also, note that you got what you were trying to
do backwards:  The crt file is the public certificate (so not worth
"securing", except to make sure no one can overwrite it, of course), the
key file is the public key that only Apache should read (and only as
root, as discussed, not as www-data)

My only other complaint about the doc, I suppose, is that you spend a
great deal of time discussing certain elements of Apache and how to
configure it, but dedicate exactly two words to pointing at the upstream
documentation, which will always be more complete, more accurate, and
more up to date.

I suggest that in each stanza where you try to explain to users how to
use a certain feature (DocumentRoot, for instance), you link to the
official documentation for that directive, so users get used to checking
the upstream manual and learn more about how the whole thing works (and
thus, stop relying on Ubuntu-specific HOWTOs for beginners).  Teach a
man to fish, and all that.

... Adam




More information about the ubuntu-server mailing list