Choonhan,
  The way the akenti Web server is currently implemented any action
allowed on a page will let you read it. We do make a check (which I
think is incomplete) that if the page is a script, you must have
"execute" permission. It would be easy to check for "read" if you were
sure that that was the correct behavior.

I think the problem is that at the time the mod_auth_cert is called we
don't know if the file is going to be read or executed. I think if I do
the check for read, it would then not be possible to have execute only
scripts. If we could be sure that a file was a script then we could
enforce read for non-scripts and execute for scripts.

You can experiment with mod_auth_cert.cpp at about line 1110. I think
the line
 if (srch.compareString(r->handler,"cgi-script") ==
                                                   Search::OK ) 
doesn't actually work, because the web server has not set that value
before calling the access stuff. I never had the time to actually debug
this, so we just left the code in a permissive mode, so that any access
rights would return OK to the main web loop.