What files should/should not be stored in the cgi-bin folder/directory on a web server?
Obviously, executable scripts/files that make up a web application, called from a web browser can be stored there.
But is there a common industry opinion about what else can be stored there?
Is there a very strong reason why nothing else apart than the scripts/executables is allowed there?
My preference is to store all files belonging to an application in the cgi-bin directory/folder, as a subfolder off it - for each application.
For example directory cgi-bin/myapplication would contain:
the cgi scripts/executables
datafiles
configuration files
This simplifies installation and also simplifies the steps to run different versions of a application in parallel, e.g. for trialling a new version.
Concerns about security access to non-script files can be addressed by using the correct user permissions and also Apache .htaccess to control access to the directory and files.
It would seem that popular free applications are in favour of this everything-under-one-directory approach: The versions of bugzilla, the free defect and feature tracking tool, e.g. 3.4.4 are offered in this structure, while earlier versions, e.g. 2.x installed bugzilla components to at least three folders.
Drupal, the powerful and popular free content management system also takes this approach of everything-under-one-directory, albeit doesn't use the cgi-bin folder but the approach is the same.
What are your thoughts?
There is nothing special about the cgi-bin folder. It is like any publicly-accessible web folder that has the "allow-script" flag set (or the equivalent for your web server) - something that has become almost meaningless in the world of PHP/JSP and the likes.
You should only store files that you wish to be public in any folder under your webroot. You probably don't want your data and configuration to be downloadable by any user on the internet, so don't keep them in /cgi-bin
Certain servers may try and execute any file in /cgi-bin if requested. This could cause problems, especially if text or data files are executed as shell script.
Applications like Drupal are intended to be easy for anyone to install, regardless of what permissions they may have on their web-host. This is the main reason it keeps everything together. If you have the ability to put files where you want, it is always a good practise to keep non-public files outside of the webroot. If you must keep them under the webroot, then ensure that you use your server's configuration to deny public access to the non-public files.
Related
I'll try to keep this question short, but it is in 2 parts, please:
Where should config files for nodejs/npm CLI tools be saved?
What should they be called?
Let's say I write a node.js CLI tool that, for example, grabs today's weather and displays it in terminal. I call it weather-getter. Note, the main goal is not to be called programmatically, but typed into terminal like BASH. It is intended to be run by typing its simple name after installing globally, or via a directory in the user's local /bin. (Sudo is not required for its install.)
This project would be installed normally via npm. It can receive a zipcode via an argument like:
gavin#localhost:~$ weather-getter -z "12345"
OK the program works fine like this. My next step would be to allow the user to save a config file somewhere, and pull from that config file for defaults. Similar to a .vimrc file. This config might look like this:
{
"zipcode": "12345",
"language": "en",
"unit": "fahrenheit"
}
I suppose it should begin with a dot. I also suppose it should be located in the npm module install, and not in ~/. Or should I consider using ~/ or /etc/ or ~/.config or ~/.local like many other programs? Should node programs try to use a common directory, such as ~/.config/node/ or ~/.config/npm/? And if the file is in there, should it begin without the dot?
Note: My question is not about reading/writing a file with node.js, just recommendations on the config location and naming convention. Thank you!
Since this is a generic CLI application (which only so happens to be implemented in Node.js) installed into the system path, you should follow the best practices or rules established for the target operating system.
Unix/Linux/OS X, similar
In order of priority, these would be (but are not limited to):
~ (User's home folder) - many programs store user-level config in their home directory, usually in a dot-prefixed file, followed by the application's name (or similar) - i.e. ~/.weather-getter
/usr/local/etc, /etc - system-level configuration files. These should generally apply to all users in the system and thus should take less precedence than settings in home folder. The difference between these two etc paths is usually that the former is used for user-installed programs, whereas the latter is for system-level programs (this is especially true for Mac users using Homebrew). This distinction is, however, not always respected and therefore both locations should be checked for config files (preferrably with the /etc directory having lesser priority).
Your application's root - these should be the default settings for your application, a fallback when no user or system config has been found.
Other locations may be considered if needed.
Windows
This is usually somewhere within %APPDATA% directory if your app allows GUI or at least CLI configuration management, or the Windows registry (using winreg, for example). I have personally little experience with Windows development/CLI so I welcome any further comments or answers on this topic. I believe using the user's homefolder would also be acceptable as long as the file can be marked as hidden (so it does not clutter the view).
Some general considerations
Many CLI applications install their default configurations into one of the mentioned locations so the user has a good starting point when configuring your app
The way your configuration options are treated when multiple configuration files are present (are they merged in some order? Is only one used? Which one takes precedence?) is completely up to you, but you should make it clear in your documentation, perhaps even mention it in the configuration files themselves
If your application requires multiple configuration files it is preferred that they are grouped in their own folder
Update about dotfiles
The reason why some files or folders are prefixed with a dot is to hide them from users' normal view (i.e. when browsing their home directory via a GUI). It is therefore common practice to use dot-prefixed file/folder names when storing configuration files in directories where users normally operate, but not do so when storing config files in system-level folders.
The ospath package has a function data() which returns a sensible location for such files for each of the major platforms.
Security question: Is it a good practice to name folders on the server by names that are difficult to guess (8+ symbols, not a simple "admin" or "services")? I'm asking about folders that contain not just icons or .js files or .css files, but .php files and are protected by .htaccess file (deny from all).
No. Security through obscurity isn't.
Plus it's really irritating for anybody using the machine via a shell, ftp, etc.
What would it protect against? Regardless of names, folder access should be handled by the machine's and/or network's normal security mechanisms. If they get past that, it doesn't matter what your artifacts are named–Ur PwNeD.
Good practice would be to keep your PHP files outside your web server's document root. E.g., if your doc root is /var/www, then you might have there just a single index.php file, and all that file does is launch your app:
set_include_path('/something/besides/var/www');
require_once 'foo.php';
require_once 'bar.php';
do_something();
This way, your web server doesn't even know that the PHP files exist, and can't serve them even if you have an accidentally misconfigured .htaccess.
This is security through obscurity. While there is no harm in doing it , It doesn't give anything in terms of security.
My project resides in a shared Linux hosting server. The hosting provider, of course, has already set up the necessary directory and file ownerships relative to other server users. My concern for now is how to setup permissions within my domain so my users can have read access to the files and folders they should have and still let my scripts retain read/write access to it.
Question: What would be the recommended permissions on:
Public files and folders (read only?)
Files where uploaded files from forms are stored
Files and folders where GD and cache files are being written into
Folders where my server-side scripts are stored (I used mainly PHP)
My WWW root folder (where index.php resides)
This is a perfect example of where you need the Principle of Least Privilege. Allow ReadOnly to the webserver's user for RO content, allow writing only to a directory/files that absolutely need to be written. Explicitly deny access to things you don't want people to read (config files, htaccess, anything with paths/ip addresses/passwords), don't allow any extra processing if you're not using it (CGI executables, Server Side Includes).
The best way to do it is to start with deny everything and slowly open thing up as you go. First try serving static content, see what is the minimal amount of Apache directives/modules and filesystem ownerships and permissions to get it working. Then try some RO PHP scripts. Then try some RW PHP scripts. Then DB connectivity, and so on, you get the idea... It's a very tedious processes, and you want to plan ahead the sort of things you want to test; I tend to write long scripts with wget commands trying to do both good and bad things to the server. Make one change, restart, rerun the script, see what changes from the last time. Observe-modify-analyze, until you cant stand looking at it anymore ;)
There are lots of similar questions to this, but they all seem to involve either configuring permissions or installing a plugin.
I'm looking for a solution that is "dumb" - i.e. to allow the code to be deployed from source control and automatically have access to certain paths blocked, without anyone needing to configure the server.
I only need directory & file blocking, none of the other abilities that .htaccess has.
Just to be clear, we are using ColdFusion, not .NET, and whilst CF has assorted ways to handle its own scripts, it doesn't do anything with non-CFML scripts. (It is possible to do, for example config.xml.cfm, but that is a messy solution that requires updating code, etc.)
(Of course, ideally these directories/files shouldn't even be in the webroot, and if I could switch to Apache or IIS7 I could simply use .htaccess, but those aren't options at the moment.)
My current solution is going to be a readme.deploy.txt that contains instructions on how to manually set the permissions on the relevant files & directories in IIS Manager, but obviously I'd much prefer to avoid human intervention for it - any suggestions?
You could create a script that would do this when you cycle through your deployment, like say a scheduled task where you use a PowerShell script or batch script that sets up the enviroment.
With IIS6 this is going to require mucking with the Metabase, which could solve your problem, but it will require scripts to have access to the system metabase and execute system commands or you going to have to learn how to use the ii6 metabase command files
see this This Article
If they have root access maybe it would be wise to just create a installation utility that can tweak the settings for them.
Good luck,
mike
Well, for ASP.net specifically you have the .config files which allow you to control some aspect of those web folders.
However, I'm not aware of anything like .htaccess for IIS.
.NET has Routing which allows you to 'rewrite' paths. The MVC framework has it built in... I'm not sure on how to configure/use it for 'normal' ASP.NET applications.
Update: didn't know you weren't on .NET.
Maybe you're just looking for File/Folder permission settings? Don't know anything about setting those by using a config file...
my shared hosting only allows me to create 2 virtual directories. and i want to host multiple webapps... say an asp.net mvc blog, a forum, a personal site etc...
isnt there any other way of doing this? cant i simply just ftp the blog folder to one of my virtual directories and then access it online??
For ASP.NET web applications, typically each would live in its own virtual directory which serves as the application starting point.
Technically you could "piggy-back" two applications on the same application starting point in one of two ways:
Put all the files for each application in the same directory (and appropriate sub directories)
If you don't have ANY files that overlap, you can get away with this. Of course, it's likely that you won't with such files as the default or index pages, etc. And this would be pretty messy anyway.
Put all the non-binary files for each app in an appropriate subdirectory and the binaries in the main virtual's \bin directory.
You'll be able to do this only if each application's binary files don't overlap by name AND there are no namespace ambiguity conflicts between assemblies (two different assemblies by file name, but with the same namespace). The latter is much less likely to happen if you are trying to piggy-back two different applications.
The big problem I see with the latter solution is that any parts of the application that make use of application root references will break. When some code tries to resolve a reference to some resource (like an image) based on an application root reference such as
~/images/logo.gif
the ~ will get resolved to the virtual directory, but will not include the additional (non-virtual and non-app starting point) subdirectory in which the application lives. So instead of this:
/vd1/app1/images/logo.gif
you'll end up with this:
/vd1/images/logo.gif
Obviously, that won't work.
So... you won't break either app if you can put them both in the same virtual directory, however, you'll have to check for file conflicts and such. Possible namespace conflicts will be unavoidable without separate application starting points.
Can't you just put each app in a separate subdirectory in either of the virtual directories. e.g. if you had http://server.com/vd1, you could partition it like http://server.com/vd1/app1, http://server.com/vd1/app2, etc.