CGI Scripts pose a major security risk. Normally they run with the same permissions as the webserver, so they can do anything it can do. For example delete local files.
To reduce this risk, we limit cgi access in several ways:
- We pass cgi requests through cgiwrap , a program which runs security checks before forwarding the request to the cgi script.
- We restrict access to cgi scripts.
We offer 2 kinds of cgi facility:
- User managed scripts accessible only within the dept
- Sysadmin managed, world-accessible cgi scripts
User managed scripts
Create a directory “cgi-bin” in your public_html directory and put the programs there, e.g. for user 'george' and program 'hello.pl', the file is “\\staffwww.dcs.shef.ac.uk\mypublic_html\cgi-bin\hello.pl”. A web browser will access this as “http://staffwww.dcs.shef.ac.uk/people/G.Wilson/cgi-bin/hello.cgi”
Students should use e.g. http://stuwww.dcs.shef.ac.uk/people/A.Student1/cgi-bin/hello.pl
Directory permissions
The webserver runs your script so it needs:
- read permission on the directories leading to it
- read and execute it.
Sysadmin managed, world-accessible, cgi scripts
For DCS staff, intended for DCS administrative functions, eg form processing. These live in a directory managed by sysadmin and run as the user httpd . Browsers access them as: