On September 30, 2012 19:45 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
Does anyone have a pointer to help on restricting a directory to access only with valid SSL Client Certificates and how to work CGI scripts to respect that restriction? I have been successful restricting direct access, but it seems that certain cgi programs can access the directory with impunity.
So you are allowing requests for the CGI from any web browser, without a client certificate, but you then want to restrict what the CGI can do when it is running?
A CGI won't "respect" web server configuration for what clients can access what content, because CGIs can't "see" web server configuration. The web server invokes the CGI, and the CGI can do whatever it wants to do from that point on. The only restrictions on a running CGI are those imposed by the operating system.
There are two main solutions:The best solution is to not have any CGIs on your system that do things that you don't want them to do. Modify EACH of them, if needed, so that they are not ABLE to do anything you don't want them to do. Or to put it another way: don't run code that you don't trust to do only what you want it to do.
Alternatively, use suexec or something similar to run different CGIs as different users. Then use filesystem permissions to ensure that each CGI is only able to access things that it "should be able to" access -- in other words, take away read access for each restricted directory for each user that CGIs run as.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx