> -----Original Message----- > From: Vincent Bray [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 11, 2007 6:48 AM > To: users@httpd.apache.org > Subject: Re: [EMAIL PROTECTED] Protecting CGI script from download? > > ... > > ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/" > > <Directory "/Library/WebServer/CGI-Executables"> > AllowOverride None > Options None > Order allow,deny > Allow from all > </Directory> > > Change the Options line from None to ExecCGI to enable CGIs in that > directory and restart apache.
This advice is inaccurate. You do not need "ExecCGI" in the context of a ScriptAlias directory - this is a common misconception. Use ScriptAlias when you want a directory to be used *exclusively* for CGI and never need to serve plain files from that dir. Use Options ExecCGI when you want to switch on CGI for certain files in a directory but might want to maintain serving plain files as well. See http://httpd.apache.org/docs/2.2/howto/cgi.html#configuring for precise details. > > > I want any user to be able to EXECUTE the script through a > web interface. > > > > But, I want to make sure that nobody can DOWNLOAD the > script to their > > computer ( I don't want anyone else to be able to use the > script on their > > own computer). That's taken care of by the ScriptAlias directive - this ensures that files in the directory can only be executed and can never be downloaded. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > > > I have set the file permissions for the script to 111. > Will this do the > > job?? > > No, you can't use filesystem permissions for this, Apache needs to be > able to read the script to execute it. Change the owner of the script > to somebody other than the apache user and give apache r-x (5) > permissions on it. > > > > > Is there anything else I need to think about in order to > protect the script? > > Thanks in advance. > > Larry > > If the script contains sensitive information like database passwords, > consider splitting it in to multiple parts, with only a dispatcher in > the cgi-bin directory that calls off to the main script outside of > apache's document space. That way, in the unlikely event of a server > misconfiguration leading to the script being available as text, you > haven't given too much away. > > -- > noodl > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
