On September 30, 2012 19:45 , Tom Browder <tom.brow...@gmail.com> wrote:
Does anyone have a pointer to help on restricting a directory to
access only with valid SSL Client Certificates and how to work CGI
scripts to respect that restriction?
I have been successful restricting direct access, but it seems that
certain cgi programs can access the directory with impunity.
So you are allowing requests for the CGI from any web browser, without a
client certificate, but you then want to restrict what the CGI can do
when it is running?
A CGI won't "respect" web server configuration for what clients can
access what content, because CGIs can't "see" web server configuration.
The web server invokes the CGI, and the CGI can do whatever it wants to
do from that point on. The only restrictions on a running CGI are those
imposed by the operating system.
There are two main solutions:
The best solution is to not have any CGIs on your system that do things
that you don't want them to do. Modify EACH of them, if needed, so that
they are not ABLE to do anything you don't want them to do. Or to put
it another way: don't run code that you don't trust to do only what you
want it to do.
Alternatively, use suexec or something similar to run different CGIs as
different users. Then use filesystem permissions to ensure that each
CGI is only able to access things that it "should be able to" access --
in other words, take away read access for each restricted directory for
each user that CGIs run as.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org