Well, if i'm not badly wrong with my files, SuSE 6.2 default configuration does allow to follow symlinks. /etc/httpd/httpd.conf:

I didn't check the docs. If symlinks are enabled by default, may I ask SuSE why that is really necessary. If I understand things correctly, both Bugtraq and the apache authors consider that to be a security risk too big to take. The default should be "safe", not "make things easy for idiots/M$-users/ex-M$-users". "safe" and "easy" are not necessarily mutually exclusive.

Nope. You can set an alias to point to wherever you want.

Good - then get everything out of /usr/local. That is *MY* place (having the default doc root in there is a good idea though, as long as it's empty). Being new to SuSE, finding /usr/local not empty was rather annoying. It's a sign of being disorganised, IMHO.

I'd place no example scripts at all in the cgi-bin. I'd place them in the apache documentation under /usr/doc/packages/apache so that anyone willing to experiment with them may chose to copy them manually to the cgi-bin.

Yes please. Default = "safe". If some sysop wants the scripts, copy them. In that case, there's more work to be done anyway so it doesn't make things more difficult for the inexperienced, and it doesn't put users at risk who don't use the stuff.

In the ideal case, the cgi-bin should left empty in order to separate locally installed scripts from those that comes with the distribution.

That is also a question of being organised? (Hey you Germans?!???) Volker