RE: Secure CGI Implementation

To: Debian-User <debian-user@lists.debian.org>
Subject: RE: Secure CGI Implementation
From: Michael Olds <MikeOlds@pacbell.net>
Date: Sun, 29 Dec 2002 11:53:55 -0800
Message-id: <[🔎] NGBBLDIFELPCGLIINMHCEEIGCJAA.MikeOlds@pacbell.net>
In-reply-to: <[🔎] Pine.LNX.4.10.10212290834010.12963-100000@mardy.hank.org>

This is what I would like to set up because I would like to offer server
space to one user aside from myself that I trust, and who will need to make
modifications to his scripts via SFTP (using SSH2); but I would like to be
protected in the event of his user name and password being discovered, and
in the event of him making a mistake in his setups.

Directory Structure, Users and Groups, and Permissions

apache = apache deamon
admingroup = {me}

/www
   /users  {Server Document Root}   {apache:rwx admingrp:rw: w:--}

      /usr1/logs {apache:rwx usr1:rw: w:--}
      /usr1/public_html   {VirtualHost1 DocumentRoot} {usr1:rwx usr1:rw:
w:--}
         /directory/*.htm{usr1:rwx usr1:rw: w:--}
      /usr1/cgi-bin {usr1:rwx usr1:rw: w:--} ????
         /directory  {usr1:rwx usr1:rw: w:--}
            /*.cgi   {usr1:rwx usr1:rw: w:--}
         /directory

      /usr2/logs
      /usr2/public_html   {VirtualHost2 DocumentRoot}
      /usr2/cgi-bin

httpd.conf

   Global Server Settings

   DocumentRoot "/www/users"

   <Directory "/www/users">
   Options ExecCGI
   AllowOverride All
   Order allow,deny
   Allow from all
   </Directory>

   No Script Alias or <Directory "/cgi-bin"> containers.

VirtualHost containers

NameVirtualHost 000etc

<VirtualHost 000etc>
   UseCanonicalName off
   ServerName www.domain1.com
   ServerAlias domain1.com *.domain1.com domain1
   DocumentRoot "/www/users/usr1/public_html"
   ServerAdmin me@domain1.com
   ScriptAlias /cgi-bin/ "/www/users/usr1/cgi-bin/"
   ErrorLog  /www/users/usr1/log/www.domain1.com-error.log
   CustomLog /www/users/usr1/log/www.domain1.com-access.log combined
   <Directory "/www/users/usr1/cgi-bin">
   AllowOverride None
   Options ExecCGI
   Order allow,deny
   Allow from all
   </Directory>
</VirtualHost2>

<VirtualHost 000etc>
   UseCanonicalName off
   ServerName www.domain2.com
   ServerAlias domain2.com *.domain2.com domain2
   DocumentRoot "/www/users/usr2/public_html"
   ServerAdmin me@domain2.com
   ScriptAlias /cgi-bin/ "/www/users/usr2/cgi-bin/"
   ErrorLog /www/users/usr2/log/www.domain2.com-error.log
   CustomLog /www/users/usr2/log/www.domain2.com-access.log combined
   <Directory "/www/users/usr2/cgi-bin">
   AllowOverride None
   Options ExecCGI
   Order allow,deny
   Allow from all
   </Directory>
</VirtualHost2>

If necessary, this way I can change one user's cgi-bin to "cgi-local", or
"cgi-1" although this still does not make good sense to me and does not fit
in with what I see or what is given as examples in the tutorials out there
(I would like to know how my host for BuddhaDust has been able to give me
"cgi-local" under my document root with me as owner and user...I will ask
next chance I get).

This nearly puts me back at my original configuration with an additional
layer /users/ above the Main Server Document Root and it places the user's
cgi-bin beside, not under their VirtualHost DocumentRoot. If this does not
look right I would VERY MUCH appreciate anyone who would take the time to
change the setups I have here to actually show me by example what should
work. Theoretical explanations just are not getting through to me.

Best Wishes!
Mike Olds www.buddhadust.org

Reply to:

Follow-Ups:
- RE: Secure CGI Implementation
  - From: Bill Moseley <moseley@hank.org>
- RE: Secure CGI Implementation (PARTIAL SOLUTION)
  - From: Michael Olds <MikeOlds@pacbell.net>

References:
- RE: Secure CGI Implementation
  - From: Bill Moseley <moseley@hank.org>

Prev by Date: Re: lynx wraps table cells inproperly
Next by Date: Re: dhcpd: how to quiet DHCPREQUEST in logs
Previous by thread: RE: Secure CGI Implementation
Next by thread: RE: Secure CGI Implementation
Index(es):
- Date
- Thread