(Home >> Security Center >> Apache mod_userdir Tweak)
The Apache mod_userdir module allows for visitors to access a user's website via a URL that contains that user's username. For example:
http://host.example.com/~username http://example.net/~username http://192.168.0.20/~username
Most servers use the
mod_userdir Apache module as a temporary URL system that allows users to view their websites. This temporary URL system functions even if the system has not configured DNS or the domain does not yet point to the server.
When you enable the
The Apache mod_userdir Tweak interface allows you to disable the
mod_userdir functionality for your users.
mod_userdir access, perform the following steps:
To enable mod_userdir functionality for specific hosts, select the appropriate Exclude Protection checkboxes.
This will allow for all users to access content on the host via mod_userdir. It is recommend that you only enable mod_userdir functionality on the DefaultHost.
To allow all of your users to access their own accounts through the
Do not select the Exclude Protection checkbox on a user's domain if you only wish to allow an individual user to access their site with a
You own the following three cPanel accounts:
Arthur’s domain resolves, but Betty’s and Charles’ domains do not yet resolve.
mod_userdir protection for the server to deny one user the ability to use another user's bandwidth, select the Enable mod_userdir Protection checkbox.
However, if you still want to allow Betty and Charles to use Arthur’s domain to see their sites, perform the following steps:
betty charlesin the Additional Users text box.
Betty and Charles can browse their sites with the following URLs:
If a shared SSL certificate is installed for a virtual host on a shared IP address, you can share that SSL certificate with users on the same IP address. This allows them to access their sites securely without a browser warning.
For example, if an SSL certificate is installed on
host.example.com and you select the Exclude Protection checkbox for DefaultHost (nobody), the
username cPanel user can access
We strongly recommend that you restrict
mod_userdir functionality for most of your users. There are potential security issues that
mod_userdir can expose.
mod_userdir, then their bandwidth usage will not be recorded correctly. This can also potentially allow for one user to use the bandwidth of another.
When you disable
mod_userdir protection for a host, it is recommended that you do not exclude the entire host, but rather exclude only specific users via the "Additional Users" field.
Before you enable the
mod_userdir module, be aware of the following information:
Java servlets do not work with
mod_userdir-based URLs. This is because Tomcat requires that you add additional directives to the virtual host.
open_basedir protection restricts PHP's access to the home directory of the user who owns the base domain, not the home directory of the user account that a visitor accesses. If you enable
open_basedirprotection in WHM's Apache mod_userdir Tweak interface (Home >> Security Center >> PHP open_basedir Tweak), visitors cannot access some sites via the
Under certain conditions, a user can attack another user's account if they access a malicious script through a
Websites that use the
mod_rewrite or other directives in their
.htaccess files will not function correctly when visitors view them through
mod_ruid2module, then the
mod_userdirmodule will not function correctly. For more information, read our Apache Module: ModRuid2 documentation.
The following table describes when the Symlink Race Condition Protection option blocks
|The requested URL includes a file and does not belong to the owner of the file.||Blocked.|
|The requested URL includes a file and an IP address that belongs to another account.||Blocked.|
|The requested URL contains a directory.||Not blocked.|
|You wish to access the server's hostname.||Not blocked.|
Before you disable
mod_userdir protection, be aware of the following information:
mod_userdirfunctionality, it does not remove the module itself. Some PCI compliance scans may still detect it.
mod_userdirmodule uses virtual hosts.
mod_userdirmodule in most cases.