> And how can you set up /home/<user>/cgi-bin to be web-executable if you > cannot describe it with a web url?
that's what aliases and scriptaliases are for. you would put in their virtualhost config (or just change the pathing cgiwrap's source) something like this: ScriptAlias /cgi-bin/ /home/user/cgi-bin/ think about it, debian's default cgi-bin isn't describable with a url. the doc root is /var/www and the default cgi-bin is /usr/lib/cgi-bin. > - how can I protect data files from being read from the filesystem, > which should be readable from the web, but only after authentication? > Since they should be http-served, they should be world-readable... Then > how can I prevent anyone from reading them on the webserver system > itself? what we do is have the doc root setup like this: ryumin(larry)$ ls -ld /var/www drwxr-s--- 22 root wwwroot 28672 Dec 27 11:25 /var/www and have the user the web server runs as setup like this: ryumin(larry)$ groups www-data www-data wwwroot that way the web server can read files from inside /var/www but no one else can unless they are in the wwwroot group. adam.
