httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject RFC: UserDir off by default for 2.1/2.2
Date Wed, 30 Mar 2005 10:58:48 GMT
Enabling UserDir by default can allow remote users to determine whether
a given username is valid on the system or not, even if no users have a
public_html directory, from the difference between a 403 from a chmod
700 /home/realuser and a 404 from not finding /home/nosuchuser.

After a few iterations which did confuse people, we ended up using text
like this for the default Red Hat-packaged httpd.conf:

Index: docs/conf/httpd-std.conf.in
===================================================================
--- docs/conf/httpd-std.conf.in	(revision 159354)
+++ docs/conf/httpd-std.conf.in	(working copy)
@@ -368,7 +368,19 @@
 # the default access control for these directories, as in the example below.
 #
 <IfModule userdir_module>
-    UserDir public_html
+    #
+    # UserDir is disabled by default since it can confirm the presence
+    # of a username on the system (depending on home directory
+    # permissions).
+    #
+    UserDir disable
+
+    #
+    # To enable requests to /~user/ to serve the user's public_html
+    # directory, remove the "UserDir disable" line above, and uncomment
+    # the following line instead:
+    # 
+    #UserDir public_html
 </IfModule>
 
 #

Mime
View raw message