Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can you use .htaccess in a cgi-bin directory?

0 views
Skip to first unread message

Alex deVries

unread,
May 12, 1995, 3:00:00 AM5/12/95
to
I'm trying to secure access for a cgi-bin script with .htaccess. I've modified
the server's access.conf accordingly (setting Allowoverride for the cgi-bin
directory), but I continually get error 500s...

The only solution I can see is putting my cgi scripts in a document directory,
enabling files with a .cgi extension to be executed (in srm.conf), and doing it
that way...

ideas? Anyone done this before?

- Alex deVries
Platfom Environment Group, BNR


Gregory J. Sandell

unread,
May 12, 1995, 3:00:00 AM5/12/95
to
In article <3p04s9$k...@bcarh8ab.bnr.ca>, Alex deVries <adev...@bnr.ca> says:
>
>I'm trying to secure access for a cgi-bin script with .htaccess. I've modified

If I may tag along and ask a related question:

Is there a web page out there where I can learn how to use .htaccess
correctly? Or can you recommend other sources.

Thank you,
Greg

Momus

unread,
May 12, 1995, 3:00:00 AM5/12/95
to
adev...@bnr.ca writes:
> I'm trying to secure access for a cgi-bin script with .htaccess. I've
> modified the server's access.conf accordingly (setting Allowoverride

> for the cgi-bin directory), but I continually get error 500s...
> ideas? Anyone done this before?

Yes, I have done so. I have not put access control into the default
cgi-bin directory, but I have put access control onto another cgi-bin
with no problems. This was done using NCSA httpd 1.4 running on
Linux. Everything worked perfectly.

I simply added a line to my srm.conf file:
ScriptAlias /u/ /home/nkurz/cgi-bin/
then put in a normal .htaccess file in the target directory.
More details if you want them...

san...@sparky.parmly.luc.edu writes:
> Is there a web page out there where I can learn how to use .htaccess
> correctly? Or can you recommend other sources.

The NCSA page at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
does a pretty good job of explaining (assuming you are using NCSA
httpd). Mostly it consists of a series of examples, which can be used
as templates to do most anything you want.

nathan kurz
95...@williams.edu

Patrick Lee

unread,
May 12, 1995, 3:00:00 AM5/12/95
to
Momus wrote:

> I simply added a line to my srm.conf file:
> ScriptAlias /u/ /home/nkurz/cgi-bin/
> then put in a normal .htaccess file in the target directory.
> More details if you want them...

Is there a configuration to tell the server to NOT serve certain
files?

My server (NCSA 1.4) is running as 'nobody' and with that, the
htaccess file needs to be a+r, since it is owned by another user
id. If the file is a+r, then any user can read it too just by
specifying the filename. I don't want this. I have already
disabled indexing but that does not help if the user requests the
file directly.

It will do something similar to the Alias configuration line, but
instead of substituting the path, it either changes the name
(like to /dev/null) or let me refer it to another .html . Or is
there a way to set this up without having .htaccess a+r? But
how? As long as the server needs to read it, the client side
will be able to too.

--
Patrick Lee Stuyvesant H.S. Alumni Assoc.
Internet: pat...@panix.com Internet: al...@stuy.edu
Web: http://www.panix.com/~patlee Web: http://www.panix.com/~stuy


Momus

unread,
May 13, 1995, 3:00:00 AM5/13/95
to
In article <3p17uo$n...@news.panix.com>, Patrick Lee <pat...@panix.com> wrote:
>Is there a configuration to tell the server to NOT serve certain
>files?
>My server (NCSA 1.4) is running as 'nobody' and with that, the
>htaccess file needs to be a+r, since it is owned by another user
>id. If the file is a+r, then any user can read it too just by
>specifying the filename. I don't want this. I have already
>disabled indexing but that does not help if the user requests the
>file directly.
>Or is there a way to set this up without having .htaccess a+r?
>But how? As long as the server needs to read it, the
>client side will be able to too.

Are you sure it serves it? I tested this real quick on my server, and
it told me: Your client does not have permission to get URL
/u/.htaccess from this server.
It could be something I have in my conf files, but I haven't
specifically made an effort to prevent serving this file.
Or are you worried about local users instead?

To prevent local users from looking at it, you could make it owned by
'nobody'. Or likely you could put 'nobody' into some group and change
the group to that new group (although I haven't tried doing the
latter).

Further, although there certainly could be reasons, why don't you want
this file to be visible?

Nathan Kurz
95...@williams.edu

Kevin S. McCurley

unread,
May 14, 1995, 3:00:00 AM5/14/95
to
In article <3p0tfp...@bigbird.cc.williams.edu>,

Nathan Kurz <95...@williams.edu> wrote:
>The NCSA page at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
>does a pretty good job of explaining (assuming you are using NCSA
>httpd). Mostly it consists of a series of examples, which can be used
>as templates to do most anything you want.

I posted something recently pointing out that there are at least two
issues not specified by the NCSA documentation:

1. what is the default action if an order "allow,deny" or
"deny,allow" is used and a machine is not explicitly addressed by the
allow and deny statements? This is only mentioned for order
"mutual-exclude".

2. is there any way to make an access list that
disallows everything from some.edu, except
allows x.some.edu, and finally
allows everyone else.

I have received no response on these issues.

Kevin McCurley
Sandia National Laboratories

0 new messages