Received: (from majordom@localhost)
	by hyperreal.com (8.8.5/8.8.5) id CAA14126;
	Fri, 13 Jun 1997 02:39:20 -0700 (PDT)
Received: from samson.dc.luth.se (root@samson.dc.luth.se [130.240.112.30])
	by hyperreal.com (8.8.5/8.8.5) with ESMTP id CAA13891
	for <mirrors@apache.org>; Fri, 13 Jun 1997 02:39:08 -0700 (PDT)
Received: from zafir.dc.luth.se (root@zafir.dc.luth.se [130.240.112.42])
          by samson.dc.luth.se (8.8.5/8.8.4) with ESMTP
	  id LAA05014; Fri, 13 Jun 1997 11:39:02 +0200 (MET DST)
Received: from localhost (goggi@localhost [127.0.0.1])
	by zafir.dc.luth.se (8.8.5/8.8.5) with ESMTP id LAA28794;
	Fri, 13 Jun 1997 11:39:01 +0200 (MET DST)
Message-Id: <199706130939.LAA28794@zafir.dc.luth.se>
To: Brian Behlendorf <brian@organic.com>
cc: mirrors@apache.org, Goran.Oberg@dc.luth.se
Subject: Re: some updates [Goran Oberg <goggi@dc.luth.se>] (fwd) 
In-reply-to: Your message of "Fri, 13 Jun 1997 01:59:34 PDT."
             <Pine.GSO.3.95.970613014631.20322E-100000@eat.organic.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Date: Fri, 13 Jun 1997 11:39:01 +0200
From: Goran Oberg <goggi@dc.luth.se>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hyperreal.com id
 CAA13891
Sender: mirrors-owner@apache.org
Precedence: bulk

> > "We will now be running CGI scripts on mirror sites." Hmm, I don't think it's
> > that easy. Apache is a great software in many ways, one of these ways is that
> > with a little basic knowledge of the Apache system it's quite easy to maintain
> > basic security. I would expect that most, if not all, mirrored www-sites won't
> > let any executable file with cgi-suffix be executed by default. At least it 
> > wouldn't here at apache.dc.luth.se.
> 
> Okay, sounds like a solid vote against in-place CGI's.  Several sites
> do allow CGI's, and we will thoroughly examine whatever CGI's we give
> you to run.  For example, none of the CGI's being given you you
> involve parsing or interpreting user input, so the chances for a
> security hole to pop up is much smaller.

Hmm, I'm sorry, I should have benn clearer on that. What I meant was that when
there's no explicit reasons for having CGI's and SSI etc, etc allowed, I always
have them turned off so I won't have to worry about any unexpected implications.

If CGI-programs are an essential part of the content that is mirrored I surely
won't have anything against it if there's reasonable security precautions taken.

So, my answer looking like a solid vote against CGI's was my fault.


Wkr


/G

-- 
 G�ran �berg <goggi@dc.luth.se>        <URL:http://www.luth.se/~goggi/>
 Computer Support Center                       Adm./CoAdm. of
 Lule� University, SWEDEN         {www,proxy,{www,apache}.dc,ftp}.luth.se
_________________________________________________________________________