Originally posted by david_ross
Actually - your wrong.
The user and or group that apache runs as must have access to the files be it readable, writable or executable. Making scripts readable by everyone on a system could be classed as a security threat as any user could be able to find security holes in one of the scripts alot easier than if they were guessing.
Before you make such definative staements friend be sure you are accurate....
Here is my setup and ooops look at that....it works like a champ Why? Becuase a webserver MUST be accessable globally by everyone. Now yes all the moving parts for apache, meaning executables must be able to be run by the owner APACHE however we are not discussing that. As far as CGI's go, hello they are executables that will need to be run globally also. CGI's are your responsibility to make sure they don't do something stupid.
Now check out my setup at home. I run about 30 production sites in a similar fashion for a fortune 50.
drwxr-xr-x 3 ftpuser ftp 4096 Jun 7 12:07 web1
drwxr-xr-x 2 apache apache 4096 Apr 23 09:33 web2
[root@webserver1 web1]# ls -l
-rw-r--r-- 1 ftpuser ftp 15 Jun 7 12:07 index.html
-rw-r--r-- 1 ftpuser ftp 2216539 Apr 25 12:15 sawmill6.4.5_x86_linux.tar.gz
drwxr-xr-x 2 root root 4096 May 7 07:48 ssh
[root@webserver1 web2]# ls -l
-rw-r--r-- 1 apache apache 15 Apr 23 09:33 index.html
Note dir web1 does NOT have any referrence to the user apache and it works fine. Web2 does and it works too. All about the global read persmission for the group everyone.
As for the security threat of CGI's if you are gonna use then you better be prepared. they must be in a dir that has global execute for the group everyone or they will not work. When a user hits your site they do not hit it as the user of your apache server, meaning they do not read your pages or cgi's as the user apache. If they did that would be a HUGE security issue. SSI's well they are a different creature....server side....