next up previous contents
Next: The Other Side of Up: Security Previous: Security

CGIwrap and Security

CGIwrap (http://wwwcgi.umr.edu/cgiwrap/) is a UNIX-based utility written by Nathan Neulinger that lets general users run CGI scripts without needing access to the server's cgi-bin directory. Normally, all scripts must be located in the server's main cgi-bin directory and all run with the same UID (user ID) as the Web server. CGIwrap performs various security checks on the scripts before changing ID to match the owner of the script. All scripts are executed with same the user ID as the user who owns them. CGIwrap works with ncSA, Apache, CERN, Netsite, and probably any other UNIX Web server.

Any files created by a CGI program are normally owned by the Web server. This can cause a problem if you need to edit or remove files created by CGI programs. You might have to ask the system administrator for help because you lack the proper auhorization. All CGI programs have the same system permissions as the Web server. If you run your Web server under the root user ID-being either very brave or very foolish-a CGI program could be tricked into erasing the entire hard drive. CGIwrap provides a way around these problems.

With CGIwrap, scripts are located in users' public_html/cgi-bin directory and run under their user ID. This means that any files the CGI program creates are owned by the same user. Damage caused by any security bugs you may have introduced-via the CGI program-will be limited to your own set of directories.

In addition to this security advantage, CGIwrap is also an excellent debugging tool. When CGIwrap is installed, it is copied to cgiwrapd, which can be used to view output of failing CGIs.

You can install CGIwrap by following these steps:

1.
Obtain the source from the http://www.umr.edu/cgiwrap/download.html Web page.
2.
Ensure that you have root access.
3.
Unpack and run the Configure script.
4.
Type make.
5.
With a user ID of root, copy the cgiwrap executable to your server's cgi-bin directory.
6.
Make sure that cgiwrap is owned by root and executable by all users by typing chown root cgiwrap; chmod 4755 cgiwrap. The cgiwrap executabe must also be set UID.
7.
In order to gain the debugging advantages of CGIwrap, create symbolic links to cgiwrap called cgiwrapd, nph-cgiwrap, and nph-cgiwrapd. The first symbolic link can be created by typing ln -s cgiwrap cgiwrapd. The others are created using similar commands.

Tip You can find additional information at the http://www.umr.edu/cgiwrap/install.html web site.


next up previous contents
Next: The Other Side of Up: Security Previous: Security
dave@cs.cf.ac.uk