[LUNI] Which cgi-bin in Ubuntu?
maney at two14.net
Wed Oct 13 23:49:21 CDT 2010
On Wed, Oct 13, 2010 at 08:34:57PM -0700, Ramin K wrote:
> On 10/13/2010 8:16 PM, Clyde Forrester wrote:
> > I am about to attempt primitive web experiments with Perl, and I've hit
> > a snag. I'm using Ubuntu Linux 9.10 and Apache2. The general area for
> > the server is in /var/www/, but the cgi-bin directory is in /usr/lib/.
> 1. Don't mess with the system config files like httpd.conf. Instead
> create your own config in /etc/apache/sites-available/my.site.com.conf
> and then enable it. Makes updates simpler and it's easier to track your
+1, excellent advice
> 2. Don't worry about using the cgi directory. You'll likely want to keep
> all your application files together. Like this.
> <Directory /var/www/my.site.com/cgi>
> AddHandler cgi-script .pl
> Options ExecCGI Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order deny,allow
> Deny from all
-1, terrible idea
The principle of separating the cgi directory from the server's
document tree is rooted in basic security practices 101: never put
something that you might not want others to be able to see in the open.
Allowing Indexes in that directory is just piling it on.
That said, I've done this sort of thing for a "safe"
inside-the-firewall server, for ease of playing around. But exposing
the cgi directory to the internet, that's just dumb. Consider the
number of easily exploitable CGI scripts have been in wide use over the
years and you'll understand that getting that directory listing can be
nearly as valuable to an attacker as being able to read the actual
If the best we can do is make technology as dangerous, non-robust,
capricious, arcane, alienating, marginal, and costly as "magic",
then we have really crappy technology. -- goliard
More information about the LUNI