logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Disallow override globally forbidden perl, python scripts

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
postcd



Joined: 24 Sep 2017
Posts: 2

PostPosted: Sun 24 Sep '17 23:33    Post subject: Disallow override globally forbidden perl, python scripts Reply with quote

Hello,

my aim is that Apache will not care about which handler is set in particular .htaccess files. for .cgi .pl .py

It will use global configuration which should be no perl, python, cgi scripts allowed to be run.

Please how can i do that?

# httpd -V
Server version: Apache/2.2.29 (Unix)
Server built: Jul 25 2015 22:21:53
Cpanel::Easy::Apache v3.30.3 rev9999
Server's Module Magic Number: 20051115:36
Server loaded: APR 1.5.1, APR-Util 1.5.4
Compiled using: APR 1.5.1, APR-Util 1.5.4
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

# php -v
PHP 5.3.29 (cli) (built: Jul 25 2015 22:26:40)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2014 Zend Technologies
with XCache v3.2.0, Copyright (c) 2005-2014, by mOo
with the ionCube PHP Loader (enabled) + Intrusion Protection from ioncube24.com (unconfigured) v6.0.9, Copyright (c) 2002-2016, by ionCube Ltd.
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies
with XCache Cacher v3.2.0, Copyright (c) 2005-2014, by mOo
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

# cat /etc/red*
CentOS release 6.9 (Final)

This is what is in the global Apache include file:
Quote:
<Directory "/">
Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>


I am also having this enabled: https://documentation.cpanel.net/display/ALD/PHP+open_basedir+Tweak

Thank You
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Tue 31 Oct '17 19:07    Post subject: Reply with quote

Thhe "MINUS"ExecCGI disables cgi in any form.

What do you mean by apache will not care about?

it is unclear to me if you want to run cgi programs or you don't. What are you trying to do?
Back to top
postcd



Joined: 24 Sep 2017
Posts: 2

PostPosted: Thu 09 Nov '17 15:27    Post subject: Reply with quote

James Blond: i do not want to run it
i do not want apache to to allow overriding global configuration by directives set by particular users inside their .htaccess files. I am not talking just about cgi but also about perl and python scripts.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Fri 10 Nov '17 20:09    Post subject: Reply with quote

Then do not use AllowOverride All

That way users cannot add this to their .htaccess files.
Options +ExecCGI

Instead, choose what you do want to allow, you can even allow specific options yet not ExecCGI.

See http://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1