httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Security tips and dictionary attacks with UserDir
Date Thu, 29 Jan 2004 10:42:00 GMT
On Wed, Jan 28, 2004 at 08:30:49AM -0500, Rich Bowen wrote:
> On a related not, I'd like to discuss whether we want to have UserDir
> disabled by default.
> Pros) Improved default security
> Cons) Increased tech support questions about enabling this feature

I agree it should be disabled by default: we've had it disabled by
default in the stock httpd.conf in Red Hat's httpd packages for a while.  
The ability for remote users to determine presence of given user ID
using the default config is an unacceptable information leak IMO.

It does confuse a few people, though I don't think we've had any bug
reports since we tweaked the wording to be as follows:

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disable
 
    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #
    #UserDir public_html
 
</IfModule>

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message