The original Linksys firmware contained a modified version of thttpd. The Linksys version maps all Samba shares into subfolders with HTTP authentication identical to Samba authentication. There is no evidence of a cgi program to do this or even the capability to define a program to do it so I am assuming it is hardcoded into Thttpd. Attempting to update Thttpd to a newer version breaks shared folder access.

The package is a bit different too:

  1. It adds a startup script.
  2. it doesn't have a configuration file by default
  3. it doesn't create an example site by default
  4. the default location is "/srv/www" which doesn't exist
  5. cgi isn't enabled unless you configure it

The html file location is set by the init.d script as follows:

start-stop-daemon --start --quiet --exec $thttpd -- -d /srv/www

The thttpd pages at acme.com suggest a more elaborate way of starting thttpd, firstly they give a wrapper script:

#!/bin/sh
while true ; do 
    /usr/sbin/thttpd -D -C /usr/local/www/thttpd_config 
    sleep 10
done

The script causes thttpd to get its configuration from a file. It also forces Thttpd to run in the foreground so that the script halts until or unless thttpd terminates.

Config file from acme.com:

dir=/usr/local/www/data
chroot
cgipat=**.cgi
logfile=/usr/local/www/logs/thttpd_log
pidfile=/var/run/thttpd.pid

Note that you probably shouldn't use all these options, under the Debian model "start-stop-daemon" can create the pidfile (process id), also running perl programs under chroot is extremely difficult and probably not worth the extra effort unless you're serving to the internet.

If your perl scripts often end in .pl the cgipat could be **.cgi|**.pl or alternately you might create a cgi-bin directory and use /cgi-bin/* to have every executable in that directory treated as cgi.

File permissions:

Thttpd is picky about permissions, in particular it will only return a file if it is set "world readable". This avoids the silly situation where an html file can be viewed from the internet but not by a logged in user, also it prevents private files being made visible accidentally and allows some logfiles and config files to be located in the www directory without compromising security.

Data files:    644
Indexable directories:    755
Non-indexable directories:     711
CGI programs and scripts:    755 or 711

An actual configuration

I'm going to set the directory to /var/www to match my previous cherokee configuration. The cgi-bin folder will be moved from /usr/lib to /var/www. Some permissions will need fixing. For security's sake some permissions should be "broken" e.g. the admin scripts should have their world permissions cleared.

The two start lines in /etc/init.d/thttpd have been patched to set the directory, the cgi pattern and set the user to www-data.

start-stop-daemon --start --quiet --exec $thttpd -- -d /var/www -c /cgi-bin/* -u www-data