On Wed, Jan 28, 2004 at 08:30:49AM -0500, Rich Bowen wrote:
> On a related not, I'd like to discuss whether we want to have UserDir
> disabled by default.
> Pros) Improved default security
> Cons) Increased tech support questions about enabling this feature
I agree it should be disabled by default: we've had it disabled by
default in the stock httpd.conf in Red Hat's httpd packages for a while.
The ability for remote users to determine presence of given user ID
using the default config is an unacceptable information leak IMO.
It does confuse a few people, though I don't think we've had any bug
reports since we tweaked the wording to be as follows:
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
