LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-15-2004, 10:33 PM   #1
GoTrolling
LQ Newbie
 
Registered: Oct 2003
Distribution: Redhat 9.0
Posts: 9

Rep: Reputation: 0
Where to put protected scripts in Apache


Hello from a newbie.

I have a question on where to put perl scripts so that I limit access to only valid users on Apache. To get a useful answer I think I have to provide some specifics. My apologies if I do not get all the needed info out.

I have installed Apache , perl and MySQL on a RedHat 9.0 box. My root for web documents is at /var/www/html/. Right now I have my cgi directory at /var/www/cgi-bin/ . I have created a directory at var/www/html/secure/ and limited access to only valid users. I have pages that I want public as well as pages I want secure.

I have created perl scripts that link to a MySQL database. Some of the scripts modify the database therefore I want to limit the access to them. The O'reilly Apache books says that if I put the scripts below the root of the public html (such as in my /var/www/html/secure directory) I create a potential security risk. If I put them in the cgi-bin directory anyone who finds out the name of the script can run them.

Where do they belong? Is there any documentation as to where to put different parts of a website? The O'Reilly Apache book does a decent job of explaining the mechanics but not much on where things belong. I guess it is tough to come up with a generic layout to fit all needs. Any suggestions on what I should configure once I put them there would be great.

Thanks to all who contribute to make this a great website.
 
Old 01-15-2004, 10:49 PM   #2
looseCannon
Member
 
Registered: Dec 2003
Location: Little Rock, AR
Distribution: Fedora Core 2, AIX, HP-UX, Solaris, Whitebox
Posts: 193

Rep: Reputation: 31
htaccess, allow from

A couple of options come to mind right away.

First, in your httpd.conf, create a <Directory ...></Directory> block. Within that you can use "allow none" and "allow from ..." to control access to the directory.

<Directory /var/www/html/secure>
allow none
allow from domain.com
</Directory>
ScriptAlias /var/www/html/secure

That might work . MIGHT. Not sure, haven't tried that out.

Another option is to use a .htaccess file to control visitors access to the scripts. Do some hunting on the web for how they work. They're pretty easy to use.

My last suggestion, and most complicated, is to build a login page in Perl and use a MySQL database backend to store the valid users and passwords. I have several things I've written that use this approach, but I used PHP.
 
Old 01-15-2004, 11:00 PM   #3
fyoder
Member
 
Registered: Nov 2003
Posts: 111

Rep: Reputation: 15
Is the secure directory protected with .htaccess? That is, can't be accessed unless user supplies a password? If so, that sounds like a good place to put it.

If you want to add further security (and complexity), make the perl cgi there pretty minimal and put most of the working code in a perl module. You could also create an sql user with password and put name, password, and whatever other variables of interest into a config file which would reside outside of the web root with permissions set so only the user apache runs as can read it. First thing the cgi does is get those values, and establishes connection with the database when appropriate using those credentials. Only give the sql user used by the script those permissions on tables that it absolutely requires.

One way or another the web server needs to access the cgi, obviously. However many layers of security to add and how arcane to get is up to you. Having a mysql username and password in a file readable by the web server is less than secure on a shared server where other accounts can write scripts for the web server to execute, but still better than no username and password at all.

I do something like the above with php where config variables are defined and the bulk of the code resides in classes. It has been some time since I've written a perl module. Vague recollections of it having its own quirks and php being perhaps a bit more friendly for this approach.
 
Old 01-16-2004, 10:29 AM   #4
GoTrolling
LQ Newbie
 
Registered: Oct 2003
Distribution: Redhat 9.0
Posts: 9

Original Poster
Rep: Reputation: 0
Yes, the secure directory is protected (asks for username and password) but I did it in the httpd.conf file and restarted Apache. Since reading the replies, I combined both suggestions. I added another directory at /var/www/html/secure/cgi-bin/ and added the a ScriptAlias for /var/www/html/secure/cgi-bin. It now validates the user (asking for username and password) before the script can be called so it works OK on that end and everything seems to be interfacing fine. Thanks for the help.

The only nagging question I come back to is the fact that the O'Reilly Apache makes a blanket statement that putting a script below the root html directory creates a potential security risk. I guess the key word is "potential". Anyone have any thought on this?
 
Old 01-16-2004, 02:04 PM   #5
fyoder
Member
 
Registered: Nov 2003
Posts: 111

Rep: Reputation: 15
As a general rule, don't put anything sensitive in the web root. If you have to, password protect it. Do regular back ups. Best of all for security, encase server in cement and dump in deep part of the ocean. Web servers are inherently insecure because their raison d'etre is to share stuff with everyone in the world. Security is, in a sense, tacked on. A certain amount of paranoia is healthy, but unless you want to dump it in the ocean, it's a question of balancing security concerns against access and usability.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Where do I put my cgi-bin scripts? BrianK Linux - Software 2 10-12-2005 11:59 PM
Put a site in apache how? hraposo Debian 5 11-26-2004 11:26 AM
Password protected Apache ne21 Linux - Software 5 07-30-2004 02:08 AM
Where to put mldonkey scripts? Aioth Slackware 2 06-19-2004 09:29 AM
put my scripts to PATH Boby Linux - Newbie 1 06-14-2004 01:01 PM


All times are GMT -5. The time now is 05:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration