Re: Re: cgi in webb apps location
>>>>It depends from whom you want to protect yourself. If the CGI is
>>>>accessible by people on the Internet, then restricting local users
>>>>gives you nothing - they could just run the CGI via their browser.
>>>>What you must not do is make the cgi writable by the apache user. If
>>>>you do, a breach into some apache script would allow attackers to
>>>>replace your cgi.
>>>>I haven't read the webapp policy, but the regular policy states:
>>>> 11.5. Web servers and applications
>>>> ----------------------------------
>>>> This section describes the locations and URLs that should be
>>>> used by all web servers and web applications in the Debian
>>>> system.
>>>> 1. Cgi-bin executable files are installed in the directory
>>>> /usr/lib/cgi-bin/<cgi-bin-name>
>>>> and should be referred to as
>>>> http://localhost/cgi-bin/<cgi-bin-name>
>>>>CGI scripts implemented in Perl are like any other CGI script. If you
>>>>use mod_perl, then things are different.
>>>>HTH,
>>>> dam
Thx, you've been really helpfull.
I have read Webb Apps and its slightly different then regular policy,
also I have read some mails from web apps policy mailing list and seems
that
most of the guys there prefer /usr/share/PACKAGE. Application also have
some CSS and HTML parts and changing directory will mean more intrusions
in source code and
I've already made few for FSB compliance and using of dbconfig-common
(well, I will probably delete those, database doesnt have to be on same
host, so I will make two packages,
one for frontend and one for database configuration).
Regarding permission, unfortunately, web apps policy doesnt define any
guidelines there, I'm aware everything you wrote about permissions
but IP address management applications by default isnt ment to be
readable for everyone (actually, I have included htpasswd configuration
in package configuration) and thats the reason for questions about
location/permissions.
Well, seems I'm lonely in that kind of thinking so I must be wrong and I
will go with standards.
What about those scripts that can be run from command line, by default
they are not included in crontab but they can be, still /usr/bin?
I have also some questions about debconf and httpasswd configuration
because I think I have overdone that part regarding to regular "user
friendly is insult" policy :)) but I supose thats surely not for this
list. Anyway, if someone still have time and will to answer on my
questions, I'm will be happy to hear from him or her off the list.
Dam, thx again, have a great life.
Regards,
Nenad
Reply to: