[Previous] [Next] [Index]
[Thread]
Re: Securing Web Server + CGIs
> Now, the method(s) proposed must ensure that security is maintained on
> the web server, especially re: CGIs. How do we ensure that malicious CGIs
> are not put onto the web server ? Is there any way to restrict the
> execution of any CGIs to only a particular directory in the web user's
> home directory ?
You cannot, except if you are willing to check all the CGI scripts written
by your users.
What you can do, but it may get bothersome in other respects, is to use
the protection scheme available in the CERN server and others. Just say 'all
scripts coming from this directory (i.e. ~user/cgi-bin) sould run with this
userid (ie. user)'. You will then _have_ to enforce proper user/group
protection on the system
> Another thing is re: Server Side Includes. I have read the book
> "Managing Internet Services", but it only touches very briefly on the
> topic. What is it really used for ? Is it essential for running CGIs such
> as imagemaps ?
>
Server includes are not essential. They allow you to run on-the-fly
commands, scripts or whatever you like. You should be aware that allowing
users to run UNIX commands on behalf of the server (as when a server include
calls a UNIX command and outputs its result) may be _very_ dangerous.
My advice is, if you want server includes, limit their use to tricks like
flastmod, fsize and the like. Not to command execution, that's asking for
trouble.
Happy Webbing,
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
INternet and Security Consultant
SILOGIC Tel : [33] 61.13.53.00
78, chemin des Sept Deniers Fax : [33] 61.57.96.60
31200 TOULOUSE - FRANCE Email : pyb@silogic.fr
Follow-Ups:
References: