On Thu, 15 Mar 2007, Richard Bos <[EMAIL PROTECTED]> wrote:- >Op donderdag 15 maart 2007 21:30, schreef David Bolt: >> >Now why oh why did they ship the mod_perl.conf file that way when they >> >had created the directory /srv/www/perl-lib to put perl scripts in? >> >> No idea. I always install any scripts into /cgi-bin/. It makes things >> much easier as it "just works". >> >> >The next question is - how do you fix the file to get it to work? >> >> If you really want to use it, it just needs a few of changes. > >Do perl scripts work from userdir ($HOME/public_html or >$HOME/public_html/cgi-bin) as well.
Not here they don't[0], which is a Good Thing(tm). >Or does that need changes to the config >file as well? To open up that sort of security hole would require changes to the config file(s), changes I personally would not make. As to the security hole. Adding a binary or script to /srv/www/cgi-bin, /srv/www/cgi-perl or /srv/www/perl-lib requires the root password. Adding a random binary or script to ~/public_html/cgi-bin/ only requires user-level access. It's possible, although unlikely, that this could be a vector for installing a root-kit. [0] Tested because, even though I thought it wouldn't work, I just wanted to make sure I didn't have a hole to close: [EMAIL PROTECTED]:~> mkdir public_html/cgi-bin [EMAIL PROTECTED]:~> sed -e 's#2.0 rocks#2.0 breaks rocks#g' </srv/www/cgi-bin/test.pl >~/public_html/cgi-bin/test.pl [EMAIL PROTECTED]:~> telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /~davjam/cgi-bin/test.pl HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 15 Mar 2007 21:33:54 GMT Server: Apache/2.2.3 (Linux/SUSE) Last-Modified: Thu, 15 Mar 2007 21:33:35 GMT ETag: "69143-5c-42bbde01309c0" Accept-Ranges: bytes Content-Length: 92 Connection: close Content-Type: application/x-perl #!/usr/bin/perl print "Content-type: text/plain\n\n"; print "mod_perl 2.0 breaks rocks!\n"; Connection closed by foreign host. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ RISCOS 3.11 | SUSE 10.0 32bit | SUSE 10.1 32bit | openSUSE 10.2 32bit RISCOS 3.6 | SUSE 10.0 64bit | SUSE 10.1 64bit | openSUSE 10.2 64bit TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3a1 32bit -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]