[wplug] Debate question: cgi-bin vs. htdocs

Dave Neuer mr_fred_smoothie at yahoo.com
Mon Jan 6 13:17:59 EST 2003 

My personal take on this is that it's a very complex
question, and the answer totally depends on the size
and nature of the site.

For a small enough site, "anything goes" is probably
fine (where the precise definition of "anything goes"
is of course up to the admin).

For a larger site, with a lot of separation of duties
between the "content people" and "tech people" (or a
real big site w/ "content people", "creative/graphics
people" and "tech people"), a whole host of other
issues come into play, like:

a) which structure makes concurrent development,
testing and deployment easiest?
b) what's the actual physical architecture of the
site, i.e. is static contect even on the same physical
machine as the dynamic content?

I'd say the larger the site and the more people
working on maintaining it, the argument for the
separation gets much stronger.

>From a safety standpoint, neither htdocs nor cgi-bin
should be writable by the user that the server runs
as, so to my mind, that's less of an issue. If an
admin is  really safety conscious, they need to have a
policy of reviewing all executable content regardless
of where it resides.

2 cents from an unemployed techie w/ lots of free time

Dave

--- James O'Kane <jo2y at midnightlinux.com> wrote:
> If you've ever setup apache, you've probably seen
> cgi-bin that is special 
> directory. I had been told that server side
> execuatables should go there 
> because often the site admin would want to look over
> the script to make 
> sure it doesn't do anything stupid like "dd
> if=/dev/zero of=/etc/passwd", 
> but now in the days of PHP and Mason, etc. I've seen
> a trend to just make 
> anything in htdocs scriptable. The line between
> 'safe' files and scripts 
> is now very blurred.
> Good? Bad? Comments?
> 
> I'm not really looking for a true answer, I'm just
> curious what people 
> think.
> 
> -james
> 
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

More information about the wplug mailing list