From: Ken Coar Date: Wed, 2 Jul 1997 02:22:04 +0000 (+0000) Subject: Add documentation of new syntaxes for UserDir {disable|enable}, and X-Git-Tag: dg_last_1_2_doc_merge~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1abee768e81020d82bd778e7e6bf655803fbfd82;p=thirdparty%2Fapache%2Fhttpd.git Add documentation of new syntaxes for UserDir {disable|enable}, and a nod in the security_tips for "UserDir disabled root". git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@78492 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html index cba41ada90f..dc08450aeda 100644 --- a/docs/manual/misc/security_tips.html +++ b/docs/manual/misc/security_tips.html @@ -170,7 +170,13 @@ Also be wary of playing games with the >UserDir directive; setting it to something like "./" would have the same effect, for root, as the first example above. +If you are using Apache 1.3 or above, we strongly recommend that you +include the following line in your server configuration files:

+
+
UserDir disabled root +
+

Please send any other useful security tips to The Apache Group diff --git a/docs/manual/mod/mod_userdir.html b/docs/manual/mod/mod_userdir.html index cca87f5020e..50ac7844658 100644 --- a/docs/manual/mod/mod_userdir.html +++ b/docs/manual/mod/mod_userdir.html @@ -33,13 +33,37 @@ is compiled in by default. It provides for user-specific directories. Status: Base
Module: mod_userdir
Compatibility: All forms except the UserDir -public_html form are only available in Apache 1.1 or above.

+public_html form are only available in Apache 1.1 or above. Use +of the enabled keyword, or disabled with a +list of usernames, is only available in Apache 1.3 and above.

The UserDir directive sets the real directory in a user's home directory to use when a request for a document for a user is received. -Directory is either disabled, to disable this feature, - or the name of a directory, following one of the following -patterns. If not disabled, then a request for +Directory/filename is one of the following: +

+ +

+If neither the enabled nor the disabled +keywords appear in the Userdir directive, the argument is +treated as a filename pattern, and is used to turn the name into a +directory specification. A request for http://www.foo.com/~bob/one/two.html will be translated to: 

 UserDir public_html     -> ~bob/public_html/one/two.html
@@ -52,23 +76,28 @@ UserDir http://www.foo.com/users   -> http//www.foo.com/users/bob/one/two.html
 UserDir http://www.foo.com/*/usr   -> http://www.foo.com/bob/usr/one/two.html
 UserDir http://www.foo.com/~*/     -> http://www.foo.com/~bob/one/two.html
- -

- -Be careful when using this directive; for instance, "UserDir -./" would map "/~root" to -"/" - which is probably undesirable. See also -the -<Directory> -directive and the -Security Tips -page for more information. -

+
+ + Be careful when using this directive; for instance, + "UserDir ./" would map + "/~root" to + "/" - which is probably undesirable. If you are + running Apache 1.3 or above, it is strongly recommended that your + configuration include a + "UserDir disabled root" declaration. + See also + the + <Directory> + directive and the + Security Tips + page for more information. + +