On 11/07/07, Larry Knight <larryknight71@xxxxxxxxx> wrote:
I have a CGI script that is in the CGI-Executables folder (I think this the Mac OS X equivalent of the cgi-bin folder). It is a compiled C script.
It is the equivalent of a cgi-bin directory but it's not enabled by default. Around about line 670 in /etc/httpd/httpd.conf there is: ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/" <Directory "/Library/WebServer/CGI-Executables"> AllowOverride None Options None Order allow,deny Allow from all </Directory> Change the Options line from None to ExecCGI to enable CGIs in that directory and restart apache.
I want any user to be able to EXECUTE the script through a web interface. But, I want to make sure that nobody can DOWNLOAD the script to their computer ( I don't want anyone else to be able to use the script on their own computer). I have set the file permissions for the script to 111. Will this do the job??
No, you can't use filesystem permissions for this, Apache needs to be able to read the script to execute it. Change the owner of the script to somebody other than the apache user and give apache r-x (5) permissions on it.
Is there anything else I need to think about in order to protect the script? Thanks in advance. Larry
If the script contains sensitive information like database passwords, consider splitting it in to multiple parts, with only a dispatcher in the cgi-bin directory that calls off to the main script outside of apache's document space. That way, in the unlikely event of a server misconfiguration leading to the script being available as text, you haven't given too much away. -- noodl --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|