by darrel » Tue, 28 Oct 1997 04:00:00
How in Apache do I restrict access to cgi scripts?
I had assumed the system was the same as for HTML...ie use Limit and deny
access for everyone to that directory, then enable access for the domains
who should be able to get in...
However, it seems that cgi in those directories can still be
executed...can anyone help?
I'm sure the answer is simple, but i've looked in the horse book and thats
made things no clearer...
thanks
pls email replies
by Thad Humphri » Tue, 28 Oct 1997 04:00:00
<Directory /usr/local/etc/httpd/cgi-bin>
Options FollowSymLinks
AuthName Optix
AuthType Basic
AuthUserFile /usr/local/etc/optix/conf/passwd
AuthGroupFile /usr/local/etc/optix/conf/groups
require valid-user
</Directory>
Now a user will have to have a valid username and password in
/usr/local/etc/optix/conf/passwd to run a CGI in
/usr/local/etc/httpd/cgi-bin
See the man pages for this directive as well as the Auth stuff and the
require directive. It's really very easy and can be used with HTML, too.
---------------------------------------------------------------------
Thad Humphries "Who is this that darkens my counsel
Software Engineer (aka, Nerd) With words without knowledge?"
Phone: 540/675-3015, ext. 225 - Job 38:1, NIV
by Kevin P. Ne » Tue, 28 Oct 1997 04:00:00
If you put your access control directives inside of a, for example,
Limit GET, then you would still be allowing POST requests to go
through. This may cause what you are seeing.
Yes, there are specific instances where Limit is needed. In the
general case it is not what you want.
--
XCOMM Kevin P. Neal, Junior, Comp. Sci. - House of Retrocomputing
XCOMM "Good grief, I've just noticed I've typed in a rant. Sorry chaps!"
1. Apache/Linux CGI: 'Forbidden' execution after restricting Linux access
My Apache httpd server runs as 'nobody' under Linux. I've got a perl
script that worked as expected.
However, to increase security a bit, I set up a 'cgi-bin' group under
Linux and made user 'nobody' a member.
Then I disallowed execution by anybody not a member, and also denied
access to the directory.
Next thing I see is a 'Forbidden' message saying I don't have permission
to access the script.
After I execute a chmod o+x on the script (leaving the directory only
group-rwx'able), everything runs fine again!
I've had the script made a call to whoami at runtime and it's in fact
running as 'nobody'!
Any ideas???
2. make
3. Restricting specific cgi accesses with apache?
4. /etc/mtab~
5. Restricting CGI access in access.conf
7. How to Restrict CGI access on Freebsd?
8. masquerading/forwarding - routing problem?
9. Restricted access to cgi-directory
10. Restricting access using group id/cgi/perl
11. selectively restricting cgi access
12. Apache Problem: Restrict execution in cgi-bin
13. restricted shell or restricted access