Re: enabling suexec with debian apache [solved]
On Sat, Feb 26, 2000 at 05:22:52PM +0100, Robert Varga wrote
>
>
> > > One important point about cgiwrap - the current debian package puts the
> > > user cgis in ~user/public_html/cgi-bin instead of ~user/cgi-bin. I've
> > > filed a bug about it. It's bad security for cgis and their associated
> > > datafiles to be web-readable. Yes, I know security through obscurity
> > > isn't really security, but we should at least make the black hats work a
> > > little to get at the cgi source.
> >
>
> And how can you set up /home/<user>/cgi-bin to be web-executable if you
> cannot describe it with a web url?
You should be able to run the scripts, but not download the
source. Use (e.g., untested) the ScriptAliasMatch directive
in (e.g.) /etc/apache/srm.conf:
ScriptAliasMatch ^/([^\.\/]+)/cgi-bin/([^\.]+) /home/$1/cgi-bin/$2
maps (e.g.) the URL path /john/cgi-bin/my-script to
/home/john/cgi-bin/my-script; the RE above prohibits
script or usernames containing a "." to prevent
people including "..", but I don't know if that's
really necessary.
>
> And another thing I have been running circles around is:
>
> - how can I protect data files from being read from the filesystem,
> which should be readable from the web, but only after authentication?
> Since they should be http-served, they should be world-readable... Then
> how can I prevent anyone from reading them on the webserver system itself?
>
They need only be readable by the user or group that the
webserver is running as (e.g., www-data).
John P.
--
huiac@camtech.net.au
john@huiac.apana.org.au
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
Reply to: