password-protected cgi-bin directory? - Debian

This is a discussion on password-protected cgi-bin directory? - Debian ; Hi, when trying to package agdbnet I stumbled upon the installation instruction Put the agcurate.pl script in a password-protected cgi-bin directory. ... The software uses apache authentication to check that the user has rights to curate the database. ( http://pubmlst.org/software/database...allation.shtml ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: password-protected cgi-bin directory?

  1. password-protected cgi-bin directory?

    Hi,

    when trying to package agdbnet I stumbled upon the installation instruction

    Put the agcurate.pl script in a password-protected cgi-bin directory. ...
    The software uses apache authentication to check that the user has rights
    to curate the database.

    (http://pubmlst.org/software/database...allation.shtml
    item 13.)

    I wonder what might be the apropriate implementation in Debian because
    I do not know that there is anything like a "password-protected cgi-bin
    directory". Has anybody solved a similar problem or is there some
    advise to do this reasonably?

    Kind regards

    Andreas.

    --
    http://fam-tille.de


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: password-protected cgi-bin directory?

    Hi Andreas,

    On Mon, September 22, 2008 10:06, Andreas Tille wrote:
    > I wonder what might be the apropriate implementation in Debian because
    > I do not know that there is anything like a "password-protected cgi-bin
    > directory". Has anybody solved a similar problem or is there some advise
    > to do this reasonably?


    The cgi-bin directory on Debian is /usr/lib/cgi-bin, so you'd probably
    place it somewhere under there. You can then use an Apache configuration
    file snippet with a or or block to limit
    access. What I usually see happening is that access is limited to
    localhost only and possibly combined with http basic authentication of
    which the password is asked from the user upon installation. One such
    example is the setup script in the phpmyadmin package.

    An Apache snippet doesn't work with any webserver of course, so that is a
    drawback, but if the script doesn't have built-in authorisation features I
    don't know of a universal way to limit access to it.


    cheers,
    Thijs


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: password-protected cgi-bin directory?

    hiya,

    On Mon, Sep 22, 2008 at 10:06:35AM +0200, Andreas Tille wrote:
    > I wonder what might be the apropriate implementation in Debian because
    > I do not know that there is anything like a "password-protected cgi-bin
    > directory". Has anybody solved a similar problem or is there some
    > advise to do this reasonably?


    my advice is that you put the "cgi-bin" binaries in a directory solely for
    your own package, i.e. /usr/lib//cgi-bin . then you can set up a
    default htaccess file and apache configuration under etc and leave it to the
    admin to configure it (or do so via debconf if you want to be fancy).

    i would strongly recommend against putting anything in /usr/lib/cgi-bin,
    as use of this directory should be deprecated[1].

    sean

    [1] yes, i know that (normal, not webapps) policy still points at it and some
    packages may still use it, but it should go away regardless.

    --

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQFI18QRynjLPm522B0RAv0kAJ0T0nvvJFxzeRxxBQ9JY+ vTo0UloACbBLPu
    rmzuC7iDiIYiQoHAqvKbbXg=
    =LLWm
    -----END PGP SIGNATURE-----


  4. Re: password-protected cgi-bin directory?

    On Mon, Sep 22, 2008 at 06:13:06PM +0200, sean finney wrote:
    > hiya,
    >
    > On Mon, Sep 22, 2008 at 10:06:35AM +0200, Andreas Tille wrote:
    > > I wonder what might be the apropriate implementation in Debian because
    > > I do not know that there is anything like a "password-protected cgi-bin
    > > directory". Has anybody solved a similar problem or is there some
    > > advise to do this reasonably?

    >
    > my advice is that you put the "cgi-bin" binaries in a directory solely for
    > your own package, i.e. /usr/lib//cgi-bin . then you can set up a
    > default htaccess file and apache configuration under etc and leave it to the
    > admin to configure it (or do so via debconf if you want to be fancy).
    >
    > i would strongly recommend against putting anything in /usr/lib/cgi-bin,
    > as use of this directory should be deprecated[1].
    >
    > sean
    >
    > [1] yes, i know that (normal, not webapps) policy still points at it and some
    > packages may still use it, but it should go away regardless.


    Is that supposed to work with apache or with any package that provides
    httpd-cgi ?

    --
    Tzafrir Cohen | tzafrir@jabber.org | VIM is
    http://tzafrir.org.il | | a Mutt's
    tzafrir@cohens.org.il | | best
    ICQ# 16849754 | | friend


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: password-protected cgi-bin directory?

    On Mon, 22 Sep 2008, sean finney wrote:

    > my advice is that you put the "cgi-bin" binaries in a directory solely for
    > your own package, i.e. /usr/lib//cgi-bin . then you can set up a
    > default htaccess file and apache configuration under etc and leave it to the
    > admin to configure it (or do so via debconf if you want to be fancy).


    Actually I personally like /usr/lib//cgi-bin but I'm not really
    educated about htaccess files and apache configuration. Any examples
    laying around somewhere / pointers to docs which directly explain this
    issue?

    > i would strongly recommend against putting anything in /usr/lib/cgi-bin,
    > as use of this directory should be deprecated[1].


    Fine for me.

    Kind regards

    Andreas.

    --
    http://fam-tille.de


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: password-protected cgi-bin directory?

    hi,

    On Mon, Sep 22, 2008 at 04:24:13PM +0000, Tzafrir Cohen wrote:
    > > [1] yes, i know that (normal, not webapps) policy still points at it and some
    > > packages may still use it, but it should go away regardless.

    >
    > Is that supposed to work with apache or with any package that provides
    > httpd-cgi ?


    i would hope that most packages that provide cgi functionality have the
    ability to have something along the lines of a ScriptAlias, yes.


    sean

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQFI2JBdynjLPm522B0RAssXAJ98RYEGRqYqJg/vfgOz+aXZ5TaZSwCdH1TI
    Qmn3syVTDYWJSBYLpfSzhM8=
    =tMO6
    -----END PGP SIGNATURE-----


  7. Re: password-protected cgi-bin directory?

    On Tue, Sep 23, 2008 at 08:44:46AM +0200, sean finney wrote:
    > hi,
    >
    > On Mon, Sep 22, 2008 at 04:24:13PM +0000, Tzafrir Cohen wrote:
    > > > [1] yes, i know that (normal, not webapps) policy still points at it and some
    > > > packages may still use it, but it should go away regardless.

    > >
    > > Is that supposed to work with apache or with any package that provides
    > > httpd-cgi ?

    >
    > i would hope that most packages that provide cgi functionality have the
    > ability to have something along the lines of a ScriptAlias, yes.


    Looking at thttpd (2.25b-6). I don't regilarily use it, so I just looked
    at the man page and provided configuration file. Maybe I missed
    something.

    Aparantly there is just a single cgi_pat directive. It can include
    multiple patterns, though. There is no 'include' option to include a
    file from a different package.

    BTW: it seems that thttpd shares the same .htpasswd file format with
    apache. Though it needs it in the same directory and it only applies to
    that directory.

    In Lenny:

    $ aptitude search ~Phttpd-cgi
    p aolserver4 - AOL Web Server 4 (Program)
    p aolserver4-core - AOL Web Server 4 (Core libraries)
    p apache2-mpm-event - Apache HTTP Server - event driven model
    p apache2-mpm-itk - multiuser MPM for Apache 2.2
    i A apache2-mpm-prefork - Apache HTTP Server - traditional non-threa
    p apache2-mpm-worker - Apache HTTP Server - high speed threaded m
    p boa - Lightweight and high performance web serve
    p bozohttpd - Bozotic HTTP server
    p caudium - An extensible WWW server written in Pike
    p cherokee - extremely fast and flexible web server
    p lighttpd - A fast webserver with minimal memory footp
    p mathopd - Very small, yet very fast HTTP server
    p mini-httpd - a small HTTP server
    p nginx - small, but very powerful and efficient web
    i thttpd - tiny/turbo/throttling HTTP server
    p tntnet - modular, multithreaded web application ser
    p yaws - High performance HTTP 1.1 webserver writte

    --
    Tzafrir Cohen | tzafrir@jabber.org | VIM is
    http://tzafrir.org.il | | a Mutt's
    tzafrir@cohens.org.il | | best
    ICQ# 16849754 | | friend


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread