Re: [Ledger-smb-devel] Debian packages and Bruce Hohl Install

Wed, 13 Dec 2006 16:20:49 -0800 

Chris Travers wrote, On 12/13/2006 10:51 PM:
> I favor the idea of a post-install configure script.  Obviously we
> don't want it in the web directory :-)
>   

Now you mention it: Couldn't/shouldn't all CGI entry points be moved to 
a cgi-bin folder and apache be configured to execute cgi in that folder 
only? I consider it very unsafe to put scripts not intended to be cgi 
scripts (or even worse: Writable folders) in cgi-enabled folders. As it 
is now Apache access control has to do a dirty and 
too-risky-to-be-trusted job! It is not obvious to me that no dangerous 
scripts can be executed through cgi.

IMHO ;-)

/Mads

ps: I have been playing around with something like the following. 
Instead of taking a "give access and make exceptions" approach I try to 
give exactly the needed access. But it gets quite complicated and 
obvious that reorganizing the directory structure would be simpler (and 
thus less error-prone).

# Mapping from url to file system
Alias /ledger-smb/css xxx/css
Alias /ledger-smb/templates xxx/templates
Alias /ledger-smb/doc/LedgerSMB-manual.pdf xxx/doc/LedgerSMB-manual.pdf
Alias /ledger-smb/locale xxx/locale
Alias /ledger-smb xxx/

# Access to htdocs/CGI dir
<Directory xxx>
  AddHandler cgi-script .pl
  Options ExecCGI
  Order Allow,Deny
  Deny from All
  <FilesMatch "^$|\.(png|ico|pl|html)$">
    Order Deny,Allow
    Allow from All
  </FilesMatch>
</Directory>

# No automatic access to sub dirs of htdocs/CGI
<Directory xxx/*>
  <Files "*">
    Order Allow,Deny
    Deny from All
  </Files>
</Directory>

# Access to splash
<Directory xxx/doc/locale>
  <Files "*">
    Order Deny,Allow
    Allow from All
  </Files>
</Directory>

# Access to manual
<Directory xxx/doc>
  <Files "*">
    Order Deny,Allow
    Allow from All
  </Files>
</Directory>

# Access to (customized) css
<Directory xxx/css>
  <Files "*">
    Order Deny,Allow
    Allow from All
  </Files>
</Directory>

# Access to (customzied) templates
<Directory xxx/templates>
  <Files "*">
    Order Deny,Allow
    Allow from All
  </Files>
</Directory>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Ledger-smb-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel

Reply via email to