On Thu, Sep 19, 2002 at 10:12:29AM -0400, Brian White wrote: > > Perhaps things have changed in the last 3 years, and they > > shall understand that post the /usr/doc issue policy has become more > > conservative? > I'm afraid I don't understand what you mean here.
He means the best way to get something in policy is for it to be
implemented. Of course, the best way to get many things implemented is
for them to be in policy, first, but hey, when have paradoxes stopped
us before?
> No, I mean that <webroot>/cgi-lib should point to /usr/lib/cgi-bin
> and <webroot>/cgi-bin should point to ~www-data/cgi-bin. The latter is
> what webmaster expect or, at the very least, they expect to be able to
> control <webroot>/cgi-bin.
Well, they can do that now -- all they have to do is change the cgi-bin
override in apache.conf.
The above would also seem like it would break people's websites and
bookmarks, a bit, which would seem undesirable.
What would y'all think about having cgi-bin managed more like, umm:
/usr/lib/cgi-bin/
<packages dump CGI scripts in here willy-nilly>
~wwwdata/cgi-bin/
<packages make symlinks to /usr/lib/cgi-bin/blah in postinst,
based on some setting in /etc/ somewhere>
So that admins can just rm symlinks to scripts they don't need, or,
if they want to be absolutely sure they don't get any cgi-bin scripts
they don't want, change the config file.
The transition could probably be something like having the web server
check the config file currently points cgi-bin at /usr/lib/cgi-bin, then
prompt, and both change the config file and make symlinks to everything
currently in /usr/lib/cgi-bin, which seems possible, reliable, and fairly
seemless, at first glance.
> I believe that <webroot>/cgi-bin should access local cgi-scripts since that
> is the traditional method and the way most webmasters layout their site.
> I'd like to use <webroot>/cgi-lib for access to the system cgi-scripts.
Hrm. Does it really make sense to have to change all your "cgi-bin/blah"
references to "cgi-lib/blah", just because you choose to use a packaged
version of the cgi script, or vice-versa?
(I'm somewhat interested in fixing the "unwanted services becoming
available, and possibly posing a remote security risk just 'cause I
installed some package to look at some files" problem, which I think
the above suggestion might do)
I'm assuming, of course, that webservers can cope with symlinks to CGI
scripts in their default cgi-bin directory...
Cheers,
aj
--
Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``If you don't do it now, you'll be one year older when you do.''
pgpBmQdUysVO4.pgp
Description: PGP signature
