Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 498620

Summary: www-apache/passenger - fix directory access directives in /etc/apache2/modules.d/30_mod_passenger.conf
Product: Gentoo Linux Reporter: three sixes <666threesixes666>
Component: Current packagesAssignee: Hans de Graaff <graaff>
Status: RESOLVED INVALID    
Severity: normal CC: ruby
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description three sixes 2014-01-19 19:55:26 UTC 
apache default settings for rails deny service.  broke out of box

<Directory />
	Options FollowSymLinks
	AllowOverride all
	Order allow,deny
	Allow from all
</Directory>

needs adding to /etc/apache2/modules.d/30_mod_passenger.conf

before

</IfDefine>


Reproducible: Always

Steps to Reproduce:
1. emerge dev-ruby/rails
2. rc-service apache2 restart
3. set vhost, browser 2 vhost location
Actual Results:  
access denied

Expected Results:  
Ruby (Rack) application could not be started, or welcome to rails.
Comment 1 Hans de Graaff gentoo-dev Security 2014-01-20 17:19:10 UTC 
Passenger provides your apache with the ability to use rack based applications, but it does not actually provide any host definition to do that. These should be defined in /etc/apache2/vhosts.d and fall outside of the scope of passenger. This includes settings for directories served by these virtual hosts.

Your patch would also open up a huge security whole since it would allow serving all files on the filesystem.