Enabling CGI scripting
-
ScriptAlias /my-cgi-bin /aul/homes/dlette07/COP3832/server/cgi-bin
-
This is the safest way to enable scripting on your server. This has the effect
of creating an alias to a directory that will contain scripts. This directory
is under the web administrator's control, so you are the one to decide which
scripts are placed into the directory. It will be your reponsibility to ensure
that the scripts are safe.
By adding the alias, every user on your server will be able to access the
scripts that are in this directory. You have had some experience with this
already: in the JavaScript assignment, you were required to use the
cgiwrap script which is in the cgi-bin directory.
-
AddHandler cgi-script .cgi .pl
-
This is an insecure way to add CGI scripting to your server. This allows
any user on your site to run a CGI script, simply by creating the script
with the .cgi or .pl extensions. The web administrator no longer
has control over the quality of the scripts. It is possible for a user on
the server to right a script that compromises the security of the entire
file system.
This command enables CGI scripting for the entire server. However, it is
still possible to disable CGI scripting on a per directory basis. This can
be done in the access.conf file. For example,
<Directory /aul/homes/*/COP3832/personal>
AllowOverride AuthConfig Indexes Limit FileInfo
Options -ExecCGI -Includes
</Directory>
will disable the dangerous options for users on your server, but will still
enable you to place CGI scripts anywhere in your document root. You should
definitely include the above directives in access.conf since your
server is running with your permissions. Since your server is running with
your permissions, then any script that your server calls will also run with
your permissions, even if the script is written by another user and is located
in that user's directory. It is possible to write a script that will display
the contents of any file that is owned by you. The only way to avoid this
security hole is to include the above directives in access.conf.
You can also accomplish the same thing with a Location directive
<Location ~ /~.*>
Options -ExecCGI -Includes
</Location>
You do not need the AllowOverride directive, since Location directives are
read after the .htaccess has been translated.