if you're using apache, something along the lines of the following untested
directives should prevent anyone but the localhost (which is where your
virtual() calls should be coming from) from accessing the cgi's via http
<Directory /path/to/usr/cgi>
order deny, allow
deny from all
allow from localhost
</Directory>
> Thanks for the idea, but ...
>
> That would cause the script to be executed with permissions of the web
> server, and for security, that is generally prohibited by the ISP (we
> are the ISP). The only exception to that rule is public scripts which
> reside in:
>
> safe_mode_exec_dir = /host/runphp
>
> and are thus allowed to execute with permissions of the web server.
>
> To provide for the execution of private user CGIs, each user has their
> own /cgi directory. Apache is configured to recognize /cgi in any URL
> as an executable CGI, and wraps all user CGIs with SuEXEC, to run them
> with permissions of the user, not the web server.
>
> But of course that means user scripts are accessible via URL. So the
> question remains, how to limit their access.
>
> As the ISP, we could use any feature of the web server for our own
> CGIs, but we intentionally avoid that. We have a hosting environment
> with a rich set of customer accessible tools, and we demonstrate that
> fact by using only those tools ourselves. IOW, we use what we sell.
>
> I have some techniques for limiting access to user CGIs, but I still
> wonder how others have approached this problem ...
>
>
> Egan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
