Michael Galea via Talk wrote on 2025-08-26 11:36:
The lighttpd developers added a configuration parameter (ProtectHome=read-only) that completely disables cgi-bin access.
For anyone interested, from `man systemd.exec` (hard to find that, I tried `man systemd.unit then `man systemd.service`, then had to search for it. Bad discoverability.): ProtectHome= Takes a boolean argument or the special values "read-only" or "tmpfs". If true, the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit. If set to "read-only", the three directories are made read-only instead. If set to "tmpfs", temporary file systems are mounted on the three directories in read-only mode.
My problem is that the file is not treated by lighttpd as a configuration file, the next install of lighttpd ( I use Debian) rewrites the file. This behavior seems puzzling to me as lighttpd went to a lot of trouble to support cgi-bin and the debian package is disabling it every update.
Sounds like a well-intentioned mis-config by Debian (not lighthttpd), as that man page says: It is recommended to enable this setting for all long-running services (in particular network-facing ones), to ensure they cannot get access to private user data, unless the services actually require access to the user's private data.
Does anyone know of a work-around? From `man systemctl` and searching " edit", one can create "drop-in" files that contain snippets of directives for systemd on a per-service level.
So, systemctl edit lighthttpd should open $your_editor with the current settings commented out but there for guidance. i.e.: systemctl edit postgresql@14-main.service ### Editing /etc/systemd/system/postgresql@14-main.service.d/override.conf ### Anything between here and the comment below will become the contents of the drop-in file [Unit] ... ## here are the contents of any user changes already made ... [Service] ... ### Edits below this comment will be discarded ... ## here are the contents of the .service file, commented out Change ProtectHome= to No in the advised location. Saving the edit will create a file like (see first line of text file in editor for exact location): ### Editing /etc/systemd/system/postgresql@14-main.service.d/override.conf Alternately, `systemctl set-property lighthttpd.service ProtectHome=No` should create some file like: ### Editing /etc/systemd/system/postgresql@14-main.service.d/ProtectHome.conf Hopefully this will help resolve the problem! Keep me / us posted if it does or does not work, and any tweaks needed. Thanks