Ron,
Sorry, I'm not quite sure how to interpret this. Do you mean
that you think that a set of CGI scripts are OK but you don't
want to hand people a web server they can shoot themselves
with, that you don't want the CGI scripts in the tree,
that you don't want the CGI scripts to have read access to
the tree (this last interpretation would make things pretty
difficult), or something else I'm not thinking of?
BTW, I just spent some time tinkering with thttpd, and I think
that it probably would be a better choice, in that it supports
more security configurability than boa.
I also tested running a web server bound only to localhost;
this worked as I expected; you could browse to it's pages from
the local machine by referencing http://localhost:8083/ but browsers
outside of the machine could not see anything on that port; even
browsers on the same machine couldn't access the pages if you
use the hostname bound to the ethernet interface. Thus,
one would have to have already gained access to the machine to
access whatever pages the server can shovel out.
I'm unaware of any way to get classic CGI-style scripting to
work with just a standalone browser accessing the local filesystem --
as far as I know there has to be a web server process handling
the scripting, and this has to be done over a TCP port. Does
anyone know of another way to do this?
--Bob
On Fri, Jul 06, 2001 at 08:09:28AM -0600, Ronald G Minnich wrote:
> I think I like the web config. I think I don't like making it an integral
> part of the tree right now. Requiring people to set up a potential
> security hole on their system just to do config ... I worry about that.
>
> ron
