Cgi-bin dir outside web root?


DH allows execution of a script from any where within the web directory /home/username/, does it mean HTTP clients can read a script and find out where data is read from/written to? Is it then necessary (if possible) to move scripts above the web directory, say in /home/username/scripts/? How does one call the scripts from outside the web directory?
All suggestions/advice appreciated.


If Apache is configured correctly as well with appropiate file permissions, no.

Apache is the web server software and it has to be told what files are ‘executable’. I am not sure if there is a list somewhere of all the files that should be ‘executable’, you can always ask here or contact support - generally this is determined by the file extension. If Apache does not know to execute a file, it will transmit the contents.

In order to transmit the contents it has to be able to read the file, so the file permissions would have to enable “world” read access. The browser would be told the URL is “Forbidden” if that is not the case.

In order to execute the file the directory the file is in, as well as the file itself, must be owned by your FTP/shell user account. In addition the directory and the file must have the permissions set to disable “world” write access. Otherwise the browser would get the “Internal Server Error” message.

A more important problem related to your questions is the data files themselves. Programmers might get lazy and expect you to install a CGI application and have configuration and data files along side the executable files. You would need to ensure these files are not accessible through the web. Even if you don’t provide a link to these files, an attacker would have an educated guess if he is familiar with the CGI application.

Regarding Perl, you should consider a file with extension .pm to be non-executable. This means if it is inside a web-accessible directory you should set the file permissions appropiately. Sometimes this type of file is used for configuration settings, but usually it will actually be part of the CGI application itself.

Hmm. Now I have question - should PHP files that are just includes be non-world readable, if I don’t have PHP running as CGI?

:cool: Perl / MySQL / HTML+CSS


Many thanks to Atropos7 and Bob for the prompt and helpful responses.
So, it is not necessary to relocate the excutables–as long as I do not chmod777 them. :slight_smile: But I should relocate the data files out of the web directories.
How do I ensure only the associated scripts can read/write to the data files sitting in, say, /home/username/subdir/ ? And what permissions should be assigned to the data files?


How do I ensure only the associated scripts can read/write to the data files sitting in, say, /home/username/subdir/ ? Files and directories in the user home directory are owned by that user. Files and directories would need group and world permissions disabled.

And what permissions should be assigned to the data files?From command line, this would be

:cool: Perl / MySQL / HTML+CSS