On 5/6/04 1:29 PM, jbv wrote:
Hi folks,
You probably remember my posts from last week about the problems I was facing while trying to install Rev cgi on a Linux server.
I'm happy to say that these problems have been solved, and I thought some of you could be interested in knowing what was wrong.
I'm glad you got it figured out, and thanks for posting.
Actually the main reason why Rev cgi wasn't running properly (not running at all in fact) was because the server configuration had been carefully set to prevent any executable to launch from the cgi-bin folder.
I see. I haven't run into that in any of the ISPs I've used, but it is good to note. I'll update the tutorial to mention this.
The local Linux expert who halped me on this issue told me that a few rules should be followed, for instance : - it looks like a BAD IDEA to install the cgi engine and the scripts in the same folder (it might open a serious SECURITY HOLE in Apache), and any well-configured server doesn't allow that;
This usually comes from admins who don't understand the Rev engine. Did he mention what security holes might occur? I have been told that the Rev engine is fairly unique in that there isn't any way to hack into it, so there aren't any security holes regardless of what folder it is installed into. I understand that this is "famous last words," but I have been unable, for example, to run a script from a local source that accesses the engine on my server. I won't say there is no way to abuse it, but Scott Raney (the author of the engine) didn't think there was.
That being said, you can of course write a script that is insecure itself. There is a risk if your scripts indescriminately execute any parameters that are sent (which the tutorial mentions.) Avoid using "do" to execute parameters without testing them first to make sure they are valid and/or safe. If a script is executing any params it receives without checking them first, then it doesn't really matter where the engine is installed, since the problem is with the script itself.
- it is a good idea to set privileges of the scripts files (and of the directories in which they are installed) so that only the cgi engine (that is supposed to run them) can run them;
If the scripts are in the cgi folder, then permissions should already be correct. However, I'd still like to update the tutorial to cover this -- what permissions did you set on the scripts, and where were they installed?
- if your cgi scripts are supposed to create / delete folders & files, it is a good idea to allow these operations in a special directory, and to set privileges so that only your engine and your scripts could do it.
This is covered in the tutorial, though maybe not as clearly as it should be. The tutorial mentions that typically you can't create files within the cgi folder, and that another folder should be used for that purpose. It suggests a sub-directory with different permissions, or a folder outside the cgi folder somewhere.
We actually spent a couple of hours setting and testing everything, and now everything runs fine.
I don't think I'm overreacting on this topic (although I don't want to scare anyone) but I have the strong feeling that if you want to use Rev cgi for some serious / professional project (and not only some home experiments), you should be wise to take all these security issues into consideration, and ask for advice from a Linux specialist.
I understand your concerns, and they are entirely valid. The difference is that the Rev engine is internally secure and won't allow much abuse. I am having trouble thinking of a way that anyone could remotely hack into it (though I'd very much like to know if anyone does find one.) So while your Linux advisor was right to be concerned, much of what he told you doesn't apply to Revolution cgis. However, the point that your cgi folder did not allow executables to be installed inside should be addressed by the tutorial (I never thought of that, since the three ISPs I've used all allowed it.) The simple solution is to just install the engine wherever the ISP requires, make sure the paths to the engine are correct in the scripts, and leave the scripts in the cgi folder.
The problem with this, though, is that so many ISPs have never heard of Rev that many of them are unwilling to install it. So if your ISP does allow executables in the cgi folder, it is much simpler to just put it there yourself. The alternative often involves a very long explanation to the ISP about what Rev is, why it is safe, how it can't be abused, etc.
For that reason, I think that the installation part of the cgi tutorial should be re-written, and should include more detailed advices about the installation procedure.
Agreed, I'll make some changes over the weekend.
-- Jacqueline Landman Gay | [EMAIL PROTECTED] HyperActive Software | http://www.hyperactivesw.com _______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
