You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2005/03/30 12:58:48 UTC

RFC: UserDir off by default for 2.1/2.2

Enabling UserDir by default can allow remote users to determine whether
a given username is valid on the system or not, even if no users have a
public_html directory, from the difference between a 403 from a chmod
700 /home/realuser and a 404 from not finding /home/nosuchuser.

After a few iterations which did confuse people, we ended up using text
like this for the default Red Hat-packaged httpd.conf:

Index: docs/conf/httpd-std.conf.in
===================================================================
--- docs/conf/httpd-std.conf.in	(revision 159354)
+++ docs/conf/httpd-std.conf.in	(working copy)
@@ -368,7 +368,19 @@
 # the default access control for these directories, as in the example below.
 #
 <IfModule userdir_module>
-    UserDir public_html
+    #
+    # UserDir is disabled by default since it can confirm the presence
+    # of a username on the system (depending on home directory
+    # permissions).
+    #
+    UserDir disable
+
+    #
+    # To enable requests to /~user/ to serve the user's public_html
+    # directory, remove the "UserDir disable" line above, and uncomment
+    # the following line instead:
+    # 
+    #UserDir public_html
 </IfModule>
 
 #

Re: RFC: UserDir off by default for 2.1/2.2

Posted by Jeff Trawick <tr...@gmail.com>.

On Wed, 30 Mar 2005 17:33:58 +0200, André Malo <nd...@perlig.de> wrote:
> * Joe Orton wrote:
> 
> > Enabling UserDir by default can allow remote users to determine whether
> > a given username is valid on the system or not, even if no users have a
> > public_html directory, from the difference between a 403 from a chmod
> > 700 /home/realuser and a 404 from not finding /home/nosuchuser.
> >
> > After a few iterations which did confuse people, we ended up using text
> > like this for the default Red Hat-packaged httpd.conf:
> 
> +1 (and don't forget the windows default config)

+1 here as well

Re: RFC: UserDir off by default for 2.1/2.2

Posted by André Malo <nd...@perlig.de>.

* Joe Orton wrote:

> Enabling UserDir by default can allow remote users to determine whether
> a given username is valid on the system or not, even if no users have a
> public_html directory, from the difference between a 403 from a chmod
> 700 /home/realuser and a 404 from not finding /home/nosuchuser.
>
> After a few iterations which did confuse people, we ended up using text
> like this for the default Red Hat-packaged httpd.conf:

+1 (and don't forget the windows default config)

nd
-- 
Winnetous Erbe: <http://pub.perlig.de/books.html#apache2>

Re: RFC: UserDir off by default for 2.1/2.2

Posted by Astrid Keßler <ke...@kess-net.de>.

JO> Enabling UserDir by default can allow remote users to determine whether
JO> a given username is valid on the system or not, even if no users have a
JO> public_html directory, from the difference between a 403 from a chmod
JO> 700 /home/realuser and a 404 from not finding /home/nosuchuser.

JO> After a few iterations which did confuse people, we ended up using text
JO> like this for the default Red Hat-packaged httpd.conf:

+1 on patch

Kess

Re: RFC: UserDir off by default for 2.1/2.2

Posted by Erik Abele <er...@codefaktor.de>.

On 31.03.2005, at 18:54, Roy T. Fielding wrote:

> IMO, it should be off by default on all httpd versions, just
> as the config should default to no access.  Personally, I would
> prefer that all of the defaults be set internal to the server
> such that a running httpd with an empty status file would only

I presume you meant *config* instead of *status* file?

> be capable of responding successfully to "/" with a simple
> "You need to configure the server now."  Everything else should
> be a 403 or 404 until it is explicitly configured.

Not that I'd volunteer to implement that but I really like the approach.

> +1 on patch.

Same here, +1.

Cheers,
Erik

Re: RFC: UserDir off by default for 2.1/2.2

Posted by "Roy T. Fielding" <fi...@gbiv.com>.

IMO, it should be off by default on all httpd versions, just
as the config should default to no access.  Personally, I would
prefer that all of the defaults be set internal to the server
such that a running httpd with an empty status file would only
be capable of responding successfully to "/" with a simple
"You need to configure the server now."  Everything else should
be a 403 or 404 until it is explicitly configured.

+1 on patch.

....Roy