[LUNI] Which cgi-bin in Ubuntu?

Ramin K ramin-list at badapple.net
Thu Oct 14 00:32:07 CDT 2010 

On 10/13/2010 9:49 PM, Martin Maney wrote:
> On Wed, Oct 13, 2010 at 08:34:57PM -0700, Ramin K wrote:
>> On 10/13/2010 8:16 PM, Clyde Forrester wrote:
>>> I am about to attempt primitive web experiments with Perl, and I've hit
>>> a snag. I'm using Ubuntu Linux 9.10 and Apache2. The general area for
>>> the server is in /var/www/, but the cgi-bin directory is in /usr/lib/.
>
>> 1. Don't mess with the system config files like httpd.conf. Instead
>> create your own config in /etc/apache/sites-available/my.site.com.conf
>> and then enable it. Makes updates simpler and it's easier to track your
>> changes.
>
> +1, excellent advice
>
>> 2. Don't worry about using the cgi directory. You'll likely want to keep
>> all your application files together. Like this.
>>
>> <Directory /var/www/my.site.com/cgi>
>>       AddHandler cgi-script .pl
>>       Options ExecCGI Indexes FollowSymLinks MultiViews
>>       AllowOverride None
>>       Order deny,allow
>>       Deny from all
>> </Directory>
>
> -1, terrible idea
>
> The principle of separating the cgi directory from the server's
> document tree is rooted in basic security practices 101: never put
> something that you might not want others to be able to see in the open.
> Allowing Indexes in that directory is just piling it on.
>
> That said, I've done this sort of thing for a "safe"
> inside-the-firewall server, for ease of playing around.  But exposing
> the cgi directory to the internet, that's just dumb.  Consider the
> number of easily exploitable CGI scripts have been in wide use over the
> years and you'll understand that getting that directory listing can be
> nearly as valuable to an attacker as being able to read the actual
> script.  :-(
>

	Good point. In this case I pulled an internal testing server's config 
and then stripped the IP restrictions without actually thinking about 
the config.

The other is most people break things up like this why is why you'd need 
the handler bit in the first place.
my.site.com/htdocs
my.site.com/cgi

It's still the same tree in my source control for releases and what not. 
In any case good to clarify all that.

Ramin

More information about the LUNI mailing list