MC on Apache and CGI

andu undo at cloud9.net
Sun Dec 8 15:16:01 EST 2002


--On Sunday, December 08, 2002 19:39:59 +0000 jbv 
<jbv.silences at club-internet.fr> wrote:

>
>
> Pierre,
>
>> It's, basicaly, two ways you can install mc to have it running behind
>> Apache.
>>
>> 1.- As a simple cgi engine : just drop the mc engine where you want (but
>> not in a directory where any bad guy will expect to find it) and add the
>> right path head your mc-cgi scripts, alike "#!/the path/mc". Verify that
>> the right permissions are ok to let the cgis lauchables by the mc engine
>> and it will be ok.
>>
>
> That's what has been done (AFAIK) and it works OK.
>
> Although your comments raise a few important questions that
> I'll have to discuss with the UNIX guy :
> - what is the best directory to drop the mc engine so that
> no bad guy finds it ?

There is no such thing, I usually put it in the cgi-bin directory with the 
scripts but it can be anywhere as long as you specify the path in the 
script. You can rename it if you wish.

> - and what can happen if any bad guy finds it ?

Nothing, he never heard of it, only good people know Metacard;-).

> - is there anything specific that can be done (by a bad guy) with MC
> as a simple cgi engine that can't be done with a php or perl engine ?

No. Usually bad guys don't think of something called mc as something to 
play with and judging from the logs of the servers I service *all* bad guys 
look for a directory structure specific to windows NT not Linux.

> - does it have to do with the presence of a "wrapper" (I've seen
> that word at times in articles / discussions about cgi engines) ?
> - are there any safety measures to take to prevent that ?

No

>
> And as for permissions : I know that the right permissions have
> to be set to mc-cgi scripts and text files used by those scripts, but
> have the feeling that there must be some specific other permissions to
> set in the Apache configuration to allow mc-cgi scripts to be triggered
> by external requests... If yes, can those permissions be set for one
> domain name only ?

Just add .cgi sufix to scripts to avoid changes to Apache config file and 
make sure scripts are executables.

>
> More on this issues, please...
>
> Thanks a lot,
> JB
>
>
> _______________________________________________
> metacard mailing list
> metacard at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/metacard
>



Regards, Andu Novac



More information about the metacard mailing list