Re: [cobalt-users] [RaQ3]Formmail widely server security

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Ramón Batalla wrote:

> Is there any way of use only one formmail script for all
> users of the server without compromise the server?

Yes.  You create a "cgi-bin" directory, probably under /home/sites/home.

Then you make a change to srm.conf... add something like this at the
bottom:

  ScriptAlias /cgi-formmail/ /home/sites/home/cgi-formmail/

That will give you a system wide "cgi-formmail" capability.  Put the
FormMail.pl script there.  Call it for any domain as <form
name="/cgi-formmail/FormMail.pl"...

Of course you'll have to modify FormMail for each domain that's going to
use it, but that's a FormMail issue and quite necessary for security.

BEWARE... FormMail is notoriously insecure.  We just today replaced all
our FormMail scripts with a new one, it involved a lot of customer
involvement, but it was GOOD <smile>.

It's too late for me to do it tonight, but I'll put the newest, most
secure FormMail.pl, with complete instructions, in anonymous ftp at
ftp.nobaloney.net.  If I don't by mid-afternoon call me or write me
offlist and remind me of my promise <smile>.

> How-to make one general cgi-pub dir in RaQ3?

That's a bit more complex.  Because you'll have to call it something
that no-one else will use on their own.  Perhaps cgi-pub is a good
idea.  Do it the same way as above.  And put there certain programs you
want all sites to be able to use, and tell everyone to use them.

We do this all the time.  It works fine.

And more good news, it doesn't use the dreaded <wry grin> cgi wrapper;
it uses a completely different security method; perhaps not quite as
good, but pretty good, and in use at most web-hosting companies because
of it's simplicity... the method built into Apache.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484