The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disable /~user/

Discussion in 'General Discussion' started by promak, Jul 17, 2003.

  1. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Hi i want to disable http://mydomain/~user/

    in /etc/httpd/conf/httpd.conf where i can disable?

    Thank You!

    ^_^ "

    cPanel.net Support Ticket Number:
     
  2. hormigo

    hormigo Well-Known Member

    Joined:
    Sep 9, 2002
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    "You can't" I think...

    cPanel.net Support Ticket Number:
     
  3. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    I think you can do this in WHM 7.2 under tweak security settings.

    or do I missunderstand that feature!!!!

    cPanel.net Support Ticket Number:
     
  4. paul-ukhost

    paul-ukhost Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    You can turn it off using "mod_userdir Tweak" in tweak security settings.

    If you operate shared ssl on your servers then I wouldnt enable this ;)
     
  5. NeutralGold

    NeutralGold Well-Known Member

    Joined:
    Jun 5, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    umm, Thats for bandwidth right? So that when you create a user prior to there dns updating, the bandwidth usage doesn't get sent to www.yourhost.com when it should go to the user's bandwidth usage.
    I think I read that right.
    It explained how when you create an account on say http://yourhost.com and then the user uses http://yourhost.com/~user/ and all the bandwidth is being charged to http://yourhost.com instead of the user. Enabling taht feature makes it so that the bandwidth gets charged to the correct person..Just going from memory... :D

    cPanel.net Support Ticket Number:
     
  6. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    bandwidth is one of problem
    and i don't want to show http://yourhost.com/~user/cgi-bin/
    too and they can see what i put inside! I don't want to Put index page to all customer cgi-bin!

    i know it can disable via /etc/httpd/conf/httpd.conf

    but i forgot which line is it!

    cPanel.net Support Ticket Number:
     
  7. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Holly Cow!! you can see the cgi-bin from this link...

    any have a solution... this is not good for nosey people!

    cPanel.net Support Ticket Number:
     
  8. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    do you remember interchange?

    if i enable for mycustomer , their customer will know their link!

    http://yourhost/~user/cgi-bin/cart.cgi/index.html

    ^_^"

    so i don't think interchange i will enable for my customer!

    cPanel.net Support Ticket Number:
     
  9. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    I never noticed that before. With the proper URL you get the appropriate 403 page, but that way you do see what's in that directory. Hopefully there's a solution to this.
     
  10. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    I hope yall know that now that you posted this "nice" little bug, there'll be people running to your servers to try the latest attempt in messing up stuff. :)

    brenden

    cPanel.net Support Ticket Number:
     
  11. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    any "inteligent hacker" would had figured this out a long time ago.

    and as far as people running!!! to /~username would mean that they would have to know the username..

    :D

    cPanel.net Support Ticket Number:
     
  12. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    True.. Hehehe :D

    cPanel.net Support Ticket Number:
     
  13. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
  14. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Back to your question!

    Here is what I did and it worked fine!

    First back up your httpd.conf " all ways back up before editing "

    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/backuphttpd.conf

    now: edit /usr/local/apache/conf/httpd.conf

    scroll down to

    <IfModule mod_userdir.c>
    Userdir public_html
    </IfModule>

    and change it to this

    <IfModule mod_userdir.c>
    Userdir disabled
    Userdir enabled user user2
    </IfModule>

    only enter "Userdir enabled" with the username or names of the account needed to access through shared SSL.

    I only have one account that needs to access through shared SSL so I put
    <IfModule mod_userdir.c>
    Userdir disabled
    Userdir enabled powered
    </IfModule>

    powered being the username.

    Now save and restart httpd

    It works!!!

    hope this helps out!

    If any one has an better way to do this feel free to let us know

    :)

    cPanel.net Support Ticket Number:
     
  15. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Re: Re: How to disable /~user/

    This restricts your clients ability to access their webspace UNTil the domain is registered and up/working. Domain registrations take 1-2 days to be fully propogated... FYI.

    This is the case for the ~..
    I could give my client http://myserver.com/~newclientname
    and they'd be able to upload, check their webpage way before the domain was activated.

    Brenden

    cPanel.net Support Ticket Number:
     
  16. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    That's the whole point though, restricting who does have access to using a ~ for their account access. Once the Domain name has propagated they did not need to continue using a ~ and racking up Data Transfer on "your" IP. Making tracking various things a lot easier as well. ;)

    Does create some problems for people using a Shared SSL and/or Reseller's setting up their Clients, but they can always be included by using temporary or permanent inclusion as shown above.

    Which BTW, although it may not make a difference:

    <IfModule mod_userdir.c>
    UserDir public_html
    UserDir disabled
    UserDir enabled accountID1 accountID2 accountID3
    </IfModule>

    Is what I use. Being able to insert/delete Clients, according to their AccountID, is very handy. I usually give new Clients 3 days and a bit, for their Domain name transfer which seems to work well; before removing them from "enabled", if they no longer need it.

    cPanel.net Support Ticket Number:
     
  17. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    FYI


    it is best to wait till your clients domain has resolved! it saves the hassle of going over support tickets that complain I have uploaded my site but I still can't see it!

    I've been in this business for a few years to know that your clients security is more important than uploading a web site before two days of full propagation.. With a little bit of support your client will understand.

    If you feel that your client needs to get things started before hand than add them to the "UserDir enabled" till their web site resolves. simple as that!

    cPanel.net Support Ticket Number:
     
  18. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Website Rob, Pagedeveloping:

    Correct.. I was just pointing something out without thinking. Pardon me :)

    You can do that alternative thing in httpd.conf, that sounds like a good plan (for keeping shared ssl only). I have no real need for ~ anyway except for clients who demand to see access now. ONly had a couple of them, so.

    Thanks for the corroboration. Others can also pick up on this thread and learn some too.

    Brenden

    cPanel.net Support Ticket Number:
     
  19. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Thank You For All of your Help!

    cPanel.net Support Ticket Number:
     
  20. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Restricting access via mod_userdir does not really address the central question here.

    How would that stop someone from browsing to http://FQDN/cgi-bin/ and listing the contents?

    If you want to eliminate the listing of directory contents without inserting a valid default document (index.htm or whatever you have configured), you need to edit your httpd.conf.

    Look for <Directory "/usr/local/apache/htdocs"> and following it you should see something like

    Options Indexes FollowSymLinks MultiViews

    If you remove the word Indexes so that the line looks like

    Options FollowSymLinks MultiViews

    Then you should no longer see directory listings in the absence of a default document.

    If you have users that rely on mod_autoindex for some directories, you could direct them to create an .htaccess file for that particular directory with

    Options Indexes

    as the content. That should allow one off directories to display file indexes.
     
Loading...

Share This Page