CGIwrap Information

Overview

CGIwrap allows users to run their own CGI programs from their personal accounts. This has been incorporated into our web server to assist with the many security concerns with having a central location for all CGI programs. Normally all CGI programs must be located within the web server’s main cgi-bin directory and all run with the web server’s user ID. But with hundreds of users on the College of Engineering’s web server, this is very impractical and would open many security holes.

Instead, with CGIwrap, all of a user’s applications should be located within the user’s “U:\public_html\cgi-bin” directory and run under their own Engineering user ID. This means that any files the CGI program creates are also owned by the same user. This eliminates most of the security concerns with a centrally located cgi-bin directory. The CGIwrap method also automatically performs several security checks on the CGI application being run. The CGI application will not run if any of the security checks fail.

Follow these Instructions

  1. SSH into a Unix computer within the Engineering domain. You will be in your home directory once you log in
  2. Enter your web folder by typing cd public_html
    If you do not have a “public_html” directory, create one
  3. Type mkdir cgi-bin to create a “cgi-bin” directory within your “public_html” directory
  4. Type chmod 755 cgi-bin to change the folder’s permissions so that it will be accessible via the web
  5. Move your CGI application to the “cgi-bin” directory
  6. Enter into your “cgi-bin” directory by typing cd cgi-bin
  7. Type chmod 755 scriptname where “scriptname” is the actual name of your CGI application. This will change the permissions so that the script will run via the web
  8. Test your script from the command line if it is possible. Simply type ./scriptname to see if there are any errors

Set up your form

You should now be able to use your CGI application. To access it, you will need to use the following URL in your form’s “action” attribute:

http://www.engr.colostate.edu/usr-bin/cgiwrap/username/scriptname

Of course you would replace “username ” with your Engineering user name and “scriptname” with the actual name of your CGI script.

Debugging

If you need to debug your CGI application, replace “cgiwrap” in the URL above with “cgiwrapd” (e.g.: add a “d” to the end). This will cause the internal environmental variables associated with the script to be displayed on the browser’s window.

Some Restrictions

When you run a CGI script using CGIwrap, you are running the scrip with you as the process owner. This means that the script will have the same permissions that you do on the web server. This may lead to problems with some CGI applications that require access to certain restricted web server locations or files. Because of security concerns, we can obviously not allow this.

Security

It is important to remember that since a CGI program is executable, it is basically the equivalent of letting the world run a program on your system. This isn’t the safest thing to do. As a result, there are some precautions that should be observed when you implement a CGI program on your site:

  1. Never trust anything! Never assume that you can trust the input from your form. A web form can easily be used to crack into a system. A securely written program will parse the input for these problems.
  2. Be careful of all files uploaded to your server via a web form. They may contain a virus or an executable “trojan horse” allowing a person to enter the system. Permissions on all uploaded files should be restrictive.
  3. Make sure your program invokes other Unix programs securely. A person can exploit such a program call to get access to the command line.
  4. Sending arbitrary input via a web form through mail can be dangerous. A knowledgeable person can include an executable program via a web mail form.
  5. The program should be able to recover from an error gracefully so that environmental variables are not displayed to the user within an error message.

If you have any questions or conerns beyond what this page was able to answer, please contact ETS.