[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Debian packages and Bruce Hohl Install
- Subject: Re: Debian packages and Bruce Hohl Install
- From: Mads Kiilerich <..hidden..>
- Date: Thu, 14 Dec 2006 01:20:35 +0100
Chris Travers wrote, On 12/13/2006 10:51 PM:
I favor the idea of a post-install configure script. Obviously we
don't want it in the web directory :-)
Now you mention it: Couldn't/shouldn't all CGI entry points be moved to
a cgi-bin folder and apache be configured to execute cgi in that folder
only? I consider it very unsafe to put scripts not intended to be cgi
scripts (or even worse: Writable folders) in cgi-enabled folders. As it
is now Apache access control has to do a dirty and
too-risky-to-be-trusted job! It is not obvious to me that no dangerous
scripts can be executed through cgi.
IMHO ;-)
/Mads
ps: I have been playing around with something like the following.
Instead of taking a "give access and make exceptions" approach I try to
give exactly the needed access. But it gets quite complicated and
obvious that reorganizing the directory structure would be simpler (and
thus less error-prone).
# Mapping from url to file system
Alias /ledger-smb/css xxx/css
Alias /ledger-smb/templates xxx/templates
Alias /ledger-smb/doc/LedgerSMB-manual.pdf xxx/doc/LedgerSMB-manual.pdf
Alias /ledger-smb/locale xxx/locale
Alias /ledger-smb xxx/
# Access to htdocs/CGI dir
<Directory xxx>
AddHandler cgi-script .pl
Options ExecCGI
Order Allow,Deny
Deny from All
<FilesMatch "^$|\.(png|ico|pl|html)$">
Order Deny,Allow
Allow from All
</FilesMatch>
</Directory>
# No automatic access to sub dirs of htdocs/CGI
<Directory xxx/*>
<Files "*">
Order Allow,Deny
Deny from All
</Files>
</Directory>
# Access to splash
<Directory xxx/doc/locale>
<Files "*">
Order Deny,Allow
Allow from All
</Files>
</Directory>
# Access to manual
<Directory xxx/doc>
<Files "*">
Order Deny,Allow
Allow from All
</Files>
</Directory>
# Access to (customized) css
<Directory xxx/css>
<Files "*">
Order Deny,Allow
Allow from All
</Files>
</Directory>
# Access to (customzied) templates
<Directory xxx/templates>
<Files "*">
Order Deny,Allow
Allow from All
</Files>
</Directory>