RE: Secure CGI Implementation
This is what I would like to set up because I would like to offer server
space to one user aside from myself that I trust, and who will need to make
modifications to his scripts via SFTP (using SSH2); but I would like to be
protected in the event of his user name and password being discovered, and
in the event of him making a mistake in his setups.
Directory Structure, Users and Groups, and Permissions
apache = apache deamon
admingroup = {me}
/www
/users {Server Document Root} {apache:rwx admingrp:rw: w:--}
/usr1/logs {apache:rwx usr1:rw: w:--}
/usr1/public_html {VirtualHost1 DocumentRoot} {usr1:rwx usr1:rw:
w:--}
/directory/*.htm{usr1:rwx usr1:rw: w:--}
/usr1/cgi-bin {usr1:rwx usr1:rw: w:--} ????
/directory {usr1:rwx usr1:rw: w:--}
/*.cgi {usr1:rwx usr1:rw: w:--}
/directory
/usr2/logs
/usr2/public_html {VirtualHost2 DocumentRoot}
/usr2/cgi-bin
httpd.conf
Global Server Settings
DocumentRoot "/www/users"
<Directory "/www/users">
Options ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
No Script Alias or <Directory "/cgi-bin"> containers.
VirtualHost containers
NameVirtualHost 000etc
<VirtualHost 000etc>
UseCanonicalName off
ServerName www.domain1.com
ServerAlias domain1.com *.domain1.com domain1
DocumentRoot "/www/users/usr1/public_html"
ServerAdmin me@domain1.com
ScriptAlias /cgi-bin/ "/www/users/usr1/cgi-bin/"
ErrorLog /www/users/usr1/log/www.domain1.com-error.log
CustomLog /www/users/usr1/log/www.domain1.com-access.log combined
<Directory "/www/users/usr1/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
</VirtualHost2>
<VirtualHost 000etc>
UseCanonicalName off
ServerName www.domain2.com
ServerAlias domain2.com *.domain2.com domain2
DocumentRoot "/www/users/usr2/public_html"
ServerAdmin me@domain2.com
ScriptAlias /cgi-bin/ "/www/users/usr2/cgi-bin/"
ErrorLog /www/users/usr2/log/www.domain2.com-error.log
CustomLog /www/users/usr2/log/www.domain2.com-access.log combined
<Directory "/www/users/usr2/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
</VirtualHost2>
If necessary, this way I can change one user's cgi-bin to "cgi-local", or
"cgi-1" although this still does not make good sense to me and does not fit
in with what I see or what is given as examples in the tutorials out there
(I would like to know how my host for BuddhaDust has been able to give me
"cgi-local" under my document root with me as owner and user...I will ask
next chance I get).
This nearly puts me back at my original configuration with an additional
layer /users/ above the Main Server Document Root and it places the user's
cgi-bin beside, not under their VirtualHost DocumentRoot. If this does not
look right I would VERY MUCH appreciate anyone who would take the time to
change the setups I have here to actually show me by example what should
work. Theoretical explanations just are not getting through to me.
Best Wishes!
Mike Olds www.buddhadust.org
Reply to: