Re: Apache + CGI

[Leigh Koven <compulov@wiretap.lakewood.nj.us>]

On Wed, 23 Jul 1997, Jakob Borg wrote:

> Hi.
> 
> I want to enable the users of my webserver to use certain CGI-scripts
> (provided by me) by using mod_include.
> To do that, one would use the tag <!--#exec cgi="/cgi-bin/script" -->,
> but one could also use the <!--"exec cmd="dangerous.command" -->.
> That last possiblity is what I want to eliminate. One way would be to
> remove /bin/sh, which is out of the question. Any other suggestions?

I had this exact same question about Stronghold (basically apache + ssl), and
was told (and discovered) that if you accomplish this by setting
IncludesNOEXEC for the users, and have them instead use #include virtual. This
will cause any scripts that are called from a ScriptAlias directory to be run
as cgi, and anything else included from a regular user directory included as
text in the usual manner. Check out the docs for Apache for mod_includes
for more info on this. Works great for us using Stronghold 1.3, your mileage
may vary with Apache though.

-Leigh

-----------------------------------------------------------------------------
Leigh Koven                                            compulov@cybercomm.net
CyberComm Online Services                            http://www.cybercomm.net
(732) 818-3333                                         telnet://cybercomm.net
Tech Support/Inquiries should be sent to:               systems@cybercomm.net
-----------------------------------------------------------------------------


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .