httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: Security tips and dictionary attacks with UserDir
Date Thu, 29 Jan 2004 10:42:00 GMT
On Wed, Jan 28, 2004 at 08:30:49AM -0500, Rich Bowen wrote:
> On a related not, I'd like to discuss whether we want to have UserDir
> disabled by default.
> Pros) Improved default security
> Cons) Increased tech support questions about enabling this feature

I agree it should be disabled by default: we've had it disabled by
default in the stock httpd.conf in Red Hat's httpd packages for a while.  
The ability for remote users to determine presence of given user ID
using the default config is an unacceptable information leak IMO.

It does confuse a few people, though I don't think we've had any bug
reports since we tweaked the wording to be as follows:

<IfModule mod_userdir.c>
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    UserDir disable
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #UserDir public_html



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message