English 中文(简体)
cgi-bin directory contents: What else can be stored there, apart from the CGI scripts/executables?
原标题:

What files should/should not be stored in the cgi-bin folder/directory on a web server?

Obviously, executable scripts/files that make up a web application, called from a web browser can be stored there.

But is there a common industry opinion about what else can be stored there?

Is there a very strong reason why nothing else apart than the scripts/executables is allowed there?

My preference is to store all files belonging to an application in the cgi-bin directory/folder, as a subfolder off it - for each application.

For example directory cgi-bin/myapplication would contain:

  • the cgi scripts/executables
  • datafiles
  • configuration files

This simplifies installation and also simplifies the steps to run different versions of a application in parallel, e.g. for trialling a new version.

Concerns about security access to non-script files can be addressed by using the correct user permissions and also Apache .htaccess to control access to the directory and files.

It would seem that popular free applications are in favour of this everything-under-one-directory approach: The versions of bugzilla, the free defect and feature tracking tool, e.g. 3.4.4 are offered in this structure, while earlier versions, e.g. 2.x installed bugzilla components to at least three folders.

Drupal, the powerful and popular free content management system also takes this approach of everything-under-one-directory, albeit doesn t use the cgi-bin folder but the approach is the same.

What are your thoughts?

最佳回答

There is nothing special about the cgi-bin folder. It is like any publicly-accessible web folder that has the "allow-script" flag set (or the equivalent for your web server) - something that has become almost meaningless in the world of PHP/JSP and the likes.

You should only store files that you wish to be public in any folder under your webroot. You probably don t want your data and configuration to be downloadable by any user on the internet, so don t keep them in /cgi-bin

Certain servers may try and execute any file in /cgi-bin if requested. This could cause problems, especially if text or data files are executed as shell script.

Applications like Drupal are intended to be easy for anyone to install, regardless of what permissions they may have on their web-host. This is the main reason it keeps everything together. If you have the ability to put files where you want, it is always a good practise to keep non-public files outside of the webroot. If you must keep them under the webroot, then ensure that you use your server s configuration to deny public access to the non-public files.

问题回答

暂无回答




相关问题
Signed executables under Linux

For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...

MALICIOUS_CODE EI_EXPOSE_REP Medium

I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...

XSS on jsbin.com

Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...

Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

Why running a service as Local System is bad on windows?

I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...

Brute-force/DoS prevention in PHP [closed]

I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...

热门标签