Die apache2.service setzt PrivateTmp=true
, also wird man mit der keine Dateien im normalen /tmp/ nutzen können.
Dann gibt es einen entscheidenden Hinweis in /usr/share/doc/apache2/NEWS.Debian.gz für die Version apache2 (2.4.1-1) unstable
:
We did change the security model for Apache in our default configuration. We
do not allow access to the file system outside /var/www and /usr/share.
If you are running virtual hosts or scripts outside these directories, you
need to whitelist them in your configuration to grant access through HTTP.
Special care must be taken if you are using a sub-directory in /srv to serve
your content as recommended by the File Hierarchy Standard (FHS). You must
allow access to your served directory explicity in the corresponding virtual
host, or by allowing access in apache2.conf as proposed.
Along the security model, we did also change the default Document Root, files
are served from. Previous releases served /var/www by default when no other
virtual host matched the request. Starting with this release, we changed the
default document root to /var/www/html, so that sensitive files from other
virtual hosts wich are typically put into some directory below /var/www are
not exposed by the default virtual host. This change further improves the out
of box security.
Darüber hinaus gibt es AppArmor-Profile für diverse Anwendungen, so dass ich da im Zweifelsfall mal nachsehen würde, auf welche Verzeichnisse Apache2 durch diese Einschränkungen zugreifen darf.