Adam Chlipala <[EMAIL PROTECTED]> writes: > For the answers to all your questions, please run: > domtool-admin describe DOMAIN > and tell me how you would like the generated Apache configuration to be > different. > > Zrajm C Akfohg wrote: >> How do I make include virtual work on a cgi? >> > > I wouldn't be surprised if we can't support this, but I'm not sure. We > have to make sure that included CGI scripts run as your user and with > your AFS tokens. If it isn't easy to make this happen, then we can't > allow what you request, for security reasons.
The Apache documentation (http://httpd.apache.org/docs/1.3/mod/mod_include.html#includevirtual) makes it appear that virtual is safe: "A URL is constructed from the attribute, and the output the server would return if the URL were accessed by the client is included in the parsed output. Thus included files can be nested." It is promoted as a safer alternative to exec and it seems that it simulates a normal Apache request as if it were coming from the client while capturing the output of the request. According to http://httpd.apache.org/docs/2.0/misc/security_tips.html: "SSI files also pose the same risks that are associated with CGI scripts in general. Using the "exec cmd" element, SSI-enabled files can execute any CGI script or program under the permissions of the user and group Apache runs as, as configured in httpd.conf." "Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes with IncludesNOEXEC in the Options directive. Note that users may still use <--#include virtual="..." --> to execute CGI scripts if these scripts are in directories designated by a ScriptAlias directive." So it would appear that virtual is safe *and* that it is enabled (as it works for static files). The issue it would appear is that the cgi scripts are not +x. As I don't have read permissions on zrajm's cgi-bin I was unable to confirm this, but I would suspect that this was the issue. If this is not the case have you tried doing #include virtual="/cgi-bin/..." instead? I did try accessing http://test.zrajm.org/cgi-bin/search.cgi and x.cgi and they return *something*, but x.cgi appears to perhaps have broken output. -- clinton: last time I was a bit weak (*sniff* level four and only 18 hp) clinton: I had a -1 intelligence modifier for the first three weeks emacsen: what about your character? _______________________________________________ HCoop-Help mailing list [email protected] https://lists.hcoop.net/listinfo/hcoop-help
