[wplug] Debate question: cgi-bin vs. htdocs
abe
rolick571 at duq.edu
Tue Jan 7 18:29:22 EST 2003
On Mon, Jan 06, 2003 at 01:07:23PM -0500, James O'Kane wrote:
> If you've ever setup apache, you've probably seen cgi-bin that is special
> directory. I had been told that server side execuatables should go there
> because often the site admin would want to look over the script to make
> sure it doesn't do anything stupid like "dd if=/dev/zero of=/etc/passwd",
> but now in the days of PHP and Mason, etc. I've seen a trend to just make
> anything in htdocs scriptable. The line between 'safe' files and scripts
> is now very blurred.
> Good? Bad? Comments?
as far as security concerns, apache shouldn't run as root .. and thus wouldn't have permission to execute something like 'dd' on /etc/passwd or the like. it'll only have as many permissions as the user it runs as. mine, for example, runs as a user 'www' which has /var/www as the home directory and /sbin/nologin (or /usr/bin/false on linux i believe) for the login shell. finally, i run apache in a chroot jail (/var/www) so that nothing can be read, executed, or modified outside of /var/www.
the only problem i've ran into isn't much of a problem really .. but in the chroot jail, php and things of that nature can't connect to mysql, for example, through mysql's unix socket. rather, you just connect via inet.
coldie
More information about the wplug
mailing list