httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Bray" <nood...@gmail.com>
Subject Re: [users@httpd] Protecting CGI script from download?
Date Wed, 11 Jul 2007 04:48:02 GMT
On 11/07/07, Larry Knight <larryknight71@yahoo.com> wrote:
> I have a CGI script that is in the CGI-Executables folder (I think this the
> Mac OS X equivalent of the cgi-bin folder).  It is a compiled C script.

It is the equivalent of a cgi-bin directory but it's not enabled by
default. Around about line 670 in /etc/httpd/httpd.conf there is:

ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/"

<Directory "/Library/WebServer/CGI-Executables">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

Change the Options line from None to ExecCGI to enable CGIs in that
directory and restart apache.

> I want any user to be able to EXECUTE the script through a web interface.
>
> But, I want to make sure that nobody can DOWNLOAD the script to their
> computer ( I don't want anyone else to be able to use the script on their
> own computer).
>
> I have set the file permissions for the script to 111.  Will this do the
> job??

No, you can't use filesystem permissions for this, Apache needs to be
able to read the script to execute it. Change the owner of the script
to somebody other than the apache user and give apache r-x (5)
permissions on it.

>
> Is there anything else I need to think about in order to protect the script?
> Thanks in advance.
> Larry

If the script contains sensitive information like database passwords,
consider splitting it in to multiple parts, with only a dispatcher in
the cgi-bin directory that calls off to the main script outside of
apache's document space. That way, in the unlikely event of a server
misconfiguration leading to the script being available as text, you
haven't given too much away.

-- 
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message