httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] SSL Client Certificates and CGI
Date Mon, 01 Oct 2012 00:44:23 GMT
On September 30, 2012 19:45 , Tom Browder <tom.browder@gmail.com> wrote:
> Does anyone have a pointer to help on restricting a directory to
> access only with valid SSL Client Certificates and how to work CGI
> scripts to respect that restriction?
>
> I have been successful restricting direct access, but it seems that
> certain cgi programs can access the directory with impunity.

So you are allowing requests for the CGI from any web browser, without a 
client certificate, but you then want to restrict what the CGI can do 
when it is running?

A CGI won't "respect" web server configuration for what clients can 
access what content, because CGIs can't "see" web server configuration.  
The web server invokes the CGI, and the CGI can do whatever it wants to 
do from that point on.  The only restrictions on a running CGI are those 
imposed by the operating system.

There are two main solutions:

The best solution is to not have any CGIs on your system that do things 
that you don't want them to do.  Modify EACH of them, if needed, so that 
they are not ABLE to do anything you don't want them to do.  Or to put 
it another way: don't run code that you don't trust to do only what you 
want it to do.

Alternatively, use suexec or something similar to run different CGIs as 
different users.  Then use filesystem permissions to ensure that each 
CGI is only able to access things that it "should be able to" access -- 
in other words, take away read access for each restricted directory for 
each user that CGIs run as.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message