Why do some hosts allow cgi-bin scripts to be run from anywhere on the server and some dont? is there a real benefit of just having it in cgi-bin, are they really securing there server that much more?

Any thoughts or comments or reasons why more hosts dont allow this.

Hi!
cgi-bin can be enbled for the site by using a simple scriptalias tag in the httpd.conf for the virtual host.
There is no particular benifit for keeping or not keeping it only for cgi-bin directory. Just that the site is more organised.

Have a great day :-)

Regards
amar

You can run CGI's from

I-HATE-CGI-BIN directory if you want. You just have to set the correct permissions on the file ... and the directory if you want.

Its used purely to make your directories more organized.

If you ran your scripts everywhere, imagine what would happen if you have a lot of scripts :eek:

Easier to have a single directory to reference when you want to call the script :)

Acually, it is for security too. Notice how it is usually never directly in the web directory. Ie you might put your web documents in /home/html/ and your cgis in /home/cgi-bin, then cgi-bin is not located in the web dir.

Most cgi-bins are in the web directory, otherwise you wouldn't be able to access directly any scripts on your browser :confused:

Thats fine if you're accessing an html file outwith the cgi-bin that accesses the cgi server side, but most scripts require you access them client side e.g www.yourdomain.com/cgi-bin/thescript.pl

If you're cgi-bin wasn't in the html directory, you wouldn't be able to run the script.

There is no necessity to have the cgi-bin directory in the web tree. The default apache install actually installs the cgi-bin directory outside of the webroot and just uses an alias to give browsers access.

Here's a blurb regarding this issue from apache.org


http://httpd.apache.org/docs/misc/security_tips.html


Non Script Aliased CGI

Allowing users to execute CGI scripts in any directory should only be considered if;

1. You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
2. You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
3. You have no users, and nobody ever visits your server.

Script Aliased CGI

Limiting CGI to special directories gives the admin control over what goes into those directories. This is inevitably more secure than non script aliased CGI, but only if users with write access to the directories are trusted or the admin is willing to test each new CGI script/program for potential security holes.

Most sites choose this option over the non script aliased CGI approach.

Chris