Subject: Re: [htdig] Security and access for privat websites
From: Gilles Detillieux (firstname.lastname@example.org)
Date: Mon May 22 2000 - 13:37:30 PDT
According to Andreas Vogt:
> Now, I set up htdig with two different confs. So public parts can be
> searched by htdig, and also private parts by different databases.
> The private search.html is protected by .htaccess and "require user...".
> But as /cgi-bin/htserach is executable by any webclient (for working with
> the public search database), anybody can use it with the private config by
> typing "config=htdig.privat" in the URL by hand.
> Of course, a "spy" has to know the name of the private config file. But I
> think, you can guess it, or worse: members of the private section, who
> aren't privileged any longer by changing the password, can access it
> So, how can I protect htsearch from being abused by typing in another
> config in the URL?
Probably the safest way is to have two separate htsearch binaries,
compiled with a different CONFIG_DIR setting (in the CONFIG file in
your source directory in 3.1.5, and in the Makefile in your source
directory in 3.2.0b2), for each one. In this way, you can maintain
separate directories of config files for the public and private sites.
Put the htsearch binary for the private site in a different ScriptAlias'ed
cgi-bin directory than the public one, and protect the private cgi-bin
with a .htaccess file as well.
An alternative is to use the CONFIG_DIR environment variable at run-time,
rather than the compile-time Makefile variable, to specify an alternate
private config file directory for htsearch. You'd still set up a
separate, ScriptAlias'ed cgi-bin, and protect it with a .htaccess file,
but in it you'd put a little shell script that sets CONFIG_DIR to the
private directory, and calls the real htsearch binary (which is set
at compile-time to use the public config directory). The CONFIG_DIR
environment variable will override the compiled-in CONFIG_DIR setting, so
the script from the private cgi-bin will use the private config directory.
-- Gilles R. Detillieux E-mail: <email@example.com> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
------------------------------------ To unsubscribe from the htdig mailing list, send a message to firstname.lastname@example.org You will receive a message to confirm this.
This archive was generated by hypermail 2b28 : Mon May 22 2000 - 11:26:08 PDT