Hello,

On 1/26/2012 11:17 AM, Pete Helgren wrote:
Yep. I would rather use the IFS but I think all I saw in the CGIDEBUG
file was "cannot open file" and "permission denied" (I don't have the
exact wording because I cleared the member). The folders and files all
had QTMHHTTP with *RX permissions and the Apache log had nothing to add.

CGI programs do not typically run under userid QTMHHTTP. They run under QTMHHTP1 by default. (Though, my shop, and others I've worked with like to change this to make the user sign-in and access files under their own authority.)


The folder I was trying to access had the following directory entry in
the config file:

<Directory /www/myfolder/htdocs/myapps>
Options None
order allow,deny
allow from all
</Directory>

You should NOT have this for your template files.

This is to allow the HTTP server to send the file (the IFS file in the directory, above) to the browser. You don't want the browser to receive this file directly, do you?

When the HTTP server calls a CGI script (aka your program) it only needs authority to run the program. It doesn't access the file directly (indeed, it doesn't even know there's a file involved -- some of the CGI scripts I've written don't even use template files.)

It's your *program* (via calls to the CGISRVPGM2 service program) that access the files. Program access to files works the same in CGI as it does anywhere else... it uses the operating systems object-level security.

By opening up the /www/myfolder/htdocs/myapps directory in the Apache config as you've done, you've made it possible for browsers to read your template files directly without calling your program. Depending on the environment, this could be a huge security hole.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.