How does apache use or allow browsing of /usr/share? (linux / Ubuntu)

The default apache.conf (ubuntu server), contains the following block:

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.

# .... other items removed for brevity    

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

My intrepretation of this directive is that apache will allow web browsing of the items in /usr/share folder. yet If I try to browse and item in /usr/share/ I cant view anything?

  1. How do I browse the content in /usr/share?

    e.g. if I point a browser to localhost/synaptic/html/index.html I get a 404 not found error

  2. If apache allows browsing of this directory - do I need to lock it down on a production server?


Solution 1:

  1. You need to map a URL path onto /usr/share. The simplest way to do that is to use an Alias directive, for example:

    Alias /share /usr/share
    

    Then http://localhost/share/synaptic will map to /usr/share/synaptic. See the documentation for Alias.

  2. All of the files in /usr/share should already be non-writeable for non-root users, including the Apache user, www-data. They're probably also all world-readable. So it should be fine to serve them all as above without any additional restrictions. But if there are public files in /usr/share that you don't want Apache users to see, you can use Require all deny directives to block access to those files.