Re: enabling suexec with debian apache [solved]
Robert Varga wrote:
>
> > > One important point about cgiwrap - the current debian package puts the
> > > user cgis in ~user/public_html/cgi-bin instead of ~user/cgi-bin. I've
> > > filed a bug about it. It's bad security for cgis and their associated
> > > datafiles to be web-readable. Yes, I know security through obscurity
> > > isn't really security, but we should at least make the black hats work a
> > > little to get at the cgi source.
> >
>
> And how can you set up /home/<user>/cgi-bin to be web-executable if you
> cannot describe it with a web url?
With cgiwrap, you don't directly specify the cgi, you pass it as a
parameter to the cgiwrap cgi
ex:
if you want to run ~user1/cgi-bin/a, the correct url is
http://server.domain/cgi-bin/cgiwrap/user1/a.cgi
cgiwrap will take care of making sure a.cgi belongs to the user, isn't
setuid, etc, etc and then run a.cgi as user1
> And another thing I have been running circles around is:
>
> - how can I protect data files from being read from the filesystem,
> which should be readable from the web, but only after authentication?
> Since they should be http-served, they should be world-readable... Then
> how can I prevent anyone from reading them on the webserver system itself?
chgrp the files to www-data and set their permissions to 640.
--
Joe Block <jpb@creol.ucf.edu>
CREOL System Administrator
Social graces are the packet headers of everyday life.
Reply to: