On Thu, Sep 19, 2002 at 10:12:29AM -0400, Brian White wrote: > > Perhaps things have changed in the last 3 years, and they > > shall understand that post the /usr/doc issue policy has become more > > conservative? > I'm afraid I don't understand what you mean here. He means the best way to get something in policy is for it to be implemented. Of course, the best way to get many things implemented is for them to be in policy, first, but hey, when have paradoxes stopped us before? > No, I mean that <webroot>/cgi-lib should point to /usr/lib/cgi-bin > and <webroot>/cgi-bin should point to ~www-data/cgi-bin. The latter is > what webmaster expect or, at the very least, they expect to be able to > control <webroot>/cgi-bin. Well, they can do that now -- all they have to do is change the cgi-bin override in apache.conf. The above would also seem like it would break people's websites and bookmarks, a bit, which would seem undesirable. What would y'all think about having cgi-bin managed more like, umm: /usr/lib/cgi-bin/ <packages dump CGI scripts in here willy-nilly> ~wwwdata/cgi-bin/ <packages make symlinks to /usr/lib/cgi-bin/blah in postinst, based on some setting in /etc/ somewhere> So that admins can just rm symlinks to scripts they don't need, or, if they want to be absolutely sure they don't get any cgi-bin scripts they don't want, change the config file. The transition could probably be something like having the web server check the config file currently points cgi-bin at /usr/lib/cgi-bin, then prompt, and both change the config file and make symlinks to everything currently in /usr/lib/cgi-bin, which seems possible, reliable, and fairly seemless, at first glance. > I believe that <webroot>/cgi-bin should access local cgi-scripts since that > is the traditional method and the way most webmasters layout their site. > I'd like to use <webroot>/cgi-lib for access to the system cgi-scripts. Hrm. Does it really make sense to have to change all your "cgi-bin/blah" references to "cgi-lib/blah", just because you choose to use a packaged version of the cgi script, or vice-versa? (I'm somewhat interested in fixing the "unwanted services becoming available, and possibly posing a remote security risk just 'cause I installed some package to look at some files" problem, which I think the above suggestion might do) I'm assuming, of course, that webservers can cope with symlinks to CGI scripts in their default cgi-bin directory... Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``If you don't do it now, you'll be one year older when you do.''
Attachment:
pgpCCXDBG6lKa.pgp
Description: PGP signature