498620 – www-apache/passenger - fix directory access directives in /etc/apache2/modules.d/30_mod_passenger.conf

Bug 498620 - www-apache/passenger - fix directory access directives in /etc/apache2/modules.d/30_mod_passenger.conf

Summary: www-apache/passenger - fix directory access directives in /etc/apache2/module...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Hans de Graaff

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2014-01-19 19:55 UTC by three sixes
Modified:	2014-01-20 17:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description three sixes 2014-01-19 19:55:26 UTC

apache default settings for rails deny service.  broke out of box

<Directory />
	Options FollowSymLinks
	AllowOverride all
	Order allow,deny
	Allow from all
</Directory>

needs adding to /etc/apache2/modules.d/30_mod_passenger.conf

before

</IfDefine>


Reproducible: Always

Steps to Reproduce:
1. emerge dev-ruby/rails
2. rc-service apache2 restart
3. set vhost, browser 2 vhost location
Actual Results:  
access denied

Expected Results:  
Ruby (Rack) application could not be started, or welcome to rails.

Comment 1 Hans de Graaff gentoo-dev

2014-01-20 17:19:10 UTC

Passenger provides your apache with the ability to use rack based applications, but it does not actually provide any host definition to do that. These should be defined in /etc/apache2/vhosts.d and fall outside of the scope of passenger. This includes settings for directories served by these virtual hosts.

Your patch would also open up a huge security whole since it would allow serving all files on the filesystem.