You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2005/03/30 12:58:48 UTC
RFC: UserDir off by default for 2.1/2.2
Enabling UserDir by default can allow remote users to determine whether
a given username is valid on the system or not, even if no users have a
public_html directory, from the difference between a 403 from a chmod
700 /home/realuser and a 404 from not finding /home/nosuchuser.
After a few iterations which did confuse people, we ended up using text
like this for the default Red Hat-packaged httpd.conf:
Index: docs/conf/httpd-std.conf.in
===================================================================
--- docs/conf/httpd-std.conf.in (revision 159354)
+++ docs/conf/httpd-std.conf.in (working copy)
@@ -368,7 +368,19 @@
# the default access control for these directories, as in the example below.
#
<IfModule userdir_module>
- UserDir public_html
+ #
+ # UserDir is disabled by default since it can confirm the presence
+ # of a username on the system (depending on home directory
+ # permissions).
+ #
+ UserDir disable
+
+ #
+ # To enable requests to /~user/ to serve the user's public_html
+ # directory, remove the "UserDir disable" line above, and uncomment
+ # the following line instead:
+ #
+ #UserDir public_html
</IfModule>
#
Re: RFC: UserDir off by default for 2.1/2.2
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, 30 Mar 2005 17:33:58 +0200, André Malo <nd...@perlig.de> wrote:
> * Joe Orton wrote:
>
> > Enabling UserDir by default can allow remote users to determine whether
> > a given username is valid on the system or not, even if no users have a
> > public_html directory, from the difference between a 403 from a chmod
> > 700 /home/realuser and a 404 from not finding /home/nosuchuser.
> >
> > After a few iterations which did confuse people, we ended up using text
> > like this for the default Red Hat-packaged httpd.conf:
>
> +1 (and don't forget the windows default config)
+1 here as well
Re: RFC: UserDir off by default for 2.1/2.2
Posted by André Malo <nd...@perlig.de>.
* Joe Orton wrote:
> Enabling UserDir by default can allow remote users to determine whether
> a given username is valid on the system or not, even if no users have a
> public_html directory, from the difference between a 403 from a chmod
> 700 /home/realuser and a 404 from not finding /home/nosuchuser.
>
> After a few iterations which did confuse people, we ended up using text
> like this for the default Red Hat-packaged httpd.conf:
+1 (and don't forget the windows default config)
nd
--
Winnetous Erbe: <http://pub.perlig.de/books.html#apache2>
Re: RFC: UserDir off by default for 2.1/2.2
Posted by Astrid Keßler <ke...@kess-net.de>.
JO> Enabling UserDir by default can allow remote users to determine whether
JO> a given username is valid on the system or not, even if no users have a
JO> public_html directory, from the difference between a 403 from a chmod
JO> 700 /home/realuser and a 404 from not finding /home/nosuchuser.
JO> After a few iterations which did confuse people, we ended up using text
JO> like this for the default Red Hat-packaged httpd.conf:
+1 on patch
Kess
Re: RFC: UserDir off by default for 2.1/2.2
Posted by Erik Abele <er...@codefaktor.de>.
On 31.03.2005, at 18:54, Roy T. Fielding wrote:
> IMO, it should be off by default on all httpd versions, just
> as the config should default to no access. Personally, I would
> prefer that all of the defaults be set internal to the server
> such that a running httpd with an empty status file would only
I presume you meant *config* instead of *status* file?
> be capable of responding successfully to "/" with a simple
> "You need to configure the server now." Everything else should
> be a 403 or 404 until it is explicitly configured.
Not that I'd volunteer to implement that but I really like the approach.
> +1 on patch.
Same here, +1.
Cheers,
Erik
Re: RFC: UserDir off by default for 2.1/2.2
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
IMO, it should be off by default on all httpd versions, just
as the config should default to no access. Personally, I would
prefer that all of the defaults be set internal to the server
such that a running httpd with an empty status file would only
be capable of responding successfully to "/" with a simple
"You need to configure the server now." Everything else should
be a 403 or 404 until it is explicitly configured.
+1 on patch.
....Roy