Re: Re: cgi in webb apps location

To: debian-perl@lists.debian.org
Subject: Re: Re: cgi in webb apps location
From: glaskoncILLa <glaskoncilla@electronicflux.com>
Date: Thu, 01 Jul 2010 01:04:15 +0200
Message-id: <4C2BCD6F.5030004@electronicflux.com>
In-reply-to: <20100630205055.GB12839@ktnx.net>
References: <20100630205055.GB12839@ktnx.net>



>>>>It depends from whom you want to protect yourself. If the CGI is
>>>>accessible by people on the Internet, then restricting local users
>>>>gives you nothing - they could just run the CGI via their browser.
>>>>What you must not do is make the cgi writable by the apache user. If
>>>>you do, a breach into some apache script would allow attackers to
>>>>replace your cgi.


>>>>I haven't read the webapp policy, but the regular policy states:

>>>>    11.5. Web servers and applications
>>>>    ----------------------------------

>>>>         This section describes the locations and URLs that should be
>>>>         used by all web servers and web applications in the Debian
>>>>         system.

>>>>         1. Cgi-bin executable files are installed in the directory
>>>>                /usr/lib/cgi-bin/<cgi-bin-name>
>>>>            and should be referred to as
>>>>                http://localhost/cgi-bin/<cgi-bin-name>



>>>>CGI scripts implemented in Perl are like any other CGI script. If you
>>>>use mod_perl, then things are different.


>>>>HTH,
>>>>    dam

Thx, you've been really helpfull.

I have read Webb Apps and its slightly different then regular policy,also I have read some mails from web apps policy mailing list and seemsthatmost of the guys there prefer /usr/share/PACKAGE. Application also havesome CSS and HTML parts and changing directory will mean more intrusionsin source code andI've already made few for FSB compliance and using of dbconfig-common(well, I will probably delete those, database doesnt have to be on samehost, so I will make two packages,

one for frontend and one for database configuration).

Regarding permission, unfortunately, web apps policy doesnt define anyguidelines there, I'm aware everything you wrote about permissionsbut IP address management applications by default isnt ment to bereadable for everyone (actually, I have included htpasswd configurationin package configuration) and thats the reason for questions aboutlocation/permissions.

Well, seems I'm lonely in that kind of thinking so I must be wrong and Iwill go with standards.

What about those scripts that can be run from command line, by defaultthey are not included in crontab but they can be, still /usr/bin?

I have also some questions about debconf and httpasswd configurationbecause I think I have overdone that part regarding to regular "userfriendly is insult" policy :)) but I supose thats surely not for thislist. Anyway, if someone still have time and will to answer on myquestions, I'm will be happy to hear from him or her off the list.


Dam, thx again, have a great life.

Regards,

Nenad

Reply to:

References:
- Re: cgi in webb apps location
  - From: Damyan Ivanov <dmn@debian.org>

Prev by Date: Re: cgi in webb apps location
Previous by thread: Re: cgi in webb apps location
Index(es):
- Date
- Thread