----------------------------------------------------------------
- CGIWrap List - Home Page: http://www.unixtools.org/cgiwrap/
- To unsubscribe, send a msg containing the line
- "unsubscribe cgiwrap" or "unsubscribe cgiwrap emailaddr"
- to <listserv@...> where emailaddr is the email
- address that was subscribed, If that doesn't work, send
- <nneul@...> a note asking to unsubscribe you.
-----------------------------------------------------------------

Hi,

You can use the web server's authentication to restrict access to the
cgiwrap binary, not to individual scripts. However, there is a workaround,
which is described under "Password Protected Installation" on the cgiwrap
web site:

http://www.unixtools.org/cgiwrap/install.html

Make a copy of the cgiwrap binary named, eg, secure-cgiwrap, and setup
your web server's security to "require valid-user" for this copy.
Then call scripts that need security with this version of cgiwrap, eg:

http://www.example.com/cgi-bin/secure-cgiwrap/fogel/cvsweb.cgi

Then, inside the script, test the REMOTE_USER environment variable to make
sure it is set to someone you trust. You have to perform this test
inside the script, or someone could bypass your security by running the
script through the unrestricted copy of cgiwrap.

If you are using Apache, then an alternative approach is to switch from
cgiwrap to apache's suexec.

There are good and bad things about both cgiwrap and suexec. I briefly
considered combining them to get the best features of both, but since I
found out how to do web server security with cgiwrap, I haven't bothered.

Earl
--
On Thu, 29 Jun 2000, Gary Lam wrote:

>Dear CGIWrap fellows,
>
> I'm running the Apache 1.3.9 and CGIWrap 3.6.4.
>
> I found that when user execute their own CGI program, the .htaccess and
>.htpasswd at user's homepage direcoty will not be valid anymore.
>
> How can I allow allow user to specify their own access control when
>running CGI script ?
>
> Please help and million thanks!
>
>>From Gary
>Hong Kong
>