Menu
▾
▴
Re: [Ids-devel] Re: alternate path question (Jeff Dafoe)
|
From: Jeff D. <je...@ba...> - 2001-11-21 02:43:35
|
> A little grovelling around apache.org/docs and I got > it running. My initial config, however, led to being > able to access ids.conf and other files if you knew > they existed: (i.e. > http://photos.tiburcio.info/ids.conf or /LICENSE, > etc). I consider this kind of a design flaw with IDS. The placement of CGIs, config files, and static content in the various directories makes it somewhat challenging to secure the installation. The secure method would be to utilize a scriptalias but this doesn't work because directories underneath IDS contain static content. This is where the primary problem is. The problem is the structure should be something like: ids/cgi ids/conf ids/data with all CGIs and modules going in the CGI directory, config data going in the conf directory, and data (static content) going in the data directory. Then a serveralias can be pointed into cgi and web access to conf can be denied. With the current directory structure, static content is served from underneath the directory in which the CGIs reside. This type of directory structuring for a CGI is typically considered to be flawed due to the relative difficulty required to secure an installation. I use the convolution below to attempt to mitigate this issue: <VirtualHost 216.10.47.13> DocumentRoot /var/www/personal.subcultural.com ServerName personal.subcultural.com ErrorLog /var/log/apache/personal.subcultural.com-error.log CustomLog /var/log/apache/personal.subcultural.com-access.log combined <Directory /var/www/personal.subcultural.com/ids/> SetHandler cgi-script Options ExecCGI AllowOverride AuthConfig </Directory> <Directory /var/www/personal.subcultural.com/ids/image-cache/> SetHandler default-handler Order Deny,Allow AllowOverride None Options None Allow from all </Directory> <Directory /var/www/personal.subcultural.com/ids/themes/> SetHandler default-handler Order Deny,Allow AllowOverride None Options None Allow from all </Directory> <Directory /var/www/personal.subcultural.com/ids/albums/> SetHandler default-handler Order Deny,Allow AllowOverride None Options None Allow from all </Directory> <Directory /var/www/personal.subcultural.com/ids/album-data/> SetHandler default-handler Order Deny,Allow AllowOverride None Options None Allow from all </Directory> <Directory /var/www/personal.subcultural.com/ids/site-images/> SetHandler default-handler Order Deny,Allow AllowOverride None Options None Allow from all </Directory> User personal Group personal ## push personal.subcultural.com directly into IDS RewriteEngine on RewriteRule ^/$ /ids/ [R] </VirtualHost> This configuration essentially defines /ids (and everything under it) as being a CGI directory, in which content can only be executed and not retrieved, and then goes down the tree under that defining the directories are OK for content to be retrieved from. This should not be necessary, the static content should be moved out from under the cgi part of the directory structure. Jeff |
