BareMetal.com

Baremetal
My Account
Domain Registration Management Services
Web Services
Rates and Specs
Bulk Rates
CGI Library
FAQ
Order Form
Tech Support
Billing Info
Company Info
Charities
Legal Info
Employment
Privacy Statement

BM


Web Services

CGI-Wrap Documentation Comments ;

Return CGI Library
Return CGI-Wrap
Return CGI-Wrap Documentation Contents

CGIWrap - Comments from Administrators

It is inherently impossible to provide _total_ protection, but there is a nifty little utility called cgiwrap that can help. Check out the URLs:

http://www.umr.edu/~cgiwrap/ ftp://ftp.cc.umr.edu/pub/cgi/cgiwrap/

This method has several advantages:

1. It runs the cgi script as your userid, not as some server-defined userid. Assuming you are an ordinary user, this reduces the risk of damaging the system, while increasing the risk of mucking-up your own files. That tradeoff is precisely what many admins on big sites want; it shifts the risk from a badly-written script onto its author, rather than the sysadmin. Also, the fact that it runs as you means that if you do something dumb or nasty with it, the administrators have a better chance of determining who is responsible.

Also, this means that if a cgi script hangs and fails to die, you can kill it yourself; if it runs as some special userid then only the system administrator can kill it should it run amuck.

2. It does some security checking for common holes. For instance, it checks that the owner of the directory where the script is found also owns the script.

3. If you call cgiwrap as cgiwrapd then you'll get special debugging output; I've found this extremely helpful in testing.

Nothing is bulletproof. The simple act of letting users create static html documents is itself something of a risk. For example, on many UNIX-based WWW servers, any user can type the following:

cd ~/public_html ln -s /etc/passwd Read_This_Folks ^^^^^^^^^^^^^^^or whatever ;-)

And you've just let the entire universe see your system's password file! Of course, this is monumentally stupid, and of course many newer systems use shadow passwords, but I'm sure more subtle holes exist even with static html -- to say nothing of cgi scripts.

Also, take a look at the URL:

http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

for some _very_ useful information about cgi security issues.

-------- Matthew.Healy@yale.edu Postdoc (& now, WebMaster) Center for Medical Informatics, Yale School of Medicine He was covered with clanking chains of code. "I am the Ghost of Hacks Past," he said to Scrooge.

http://paella.med.yale.edu/~healy/matt_healy.html



 
Home Page    Domain Registration Services    Web Services    Technical Support
About Baremetal    Privacy Statement    Billing Info    Charities
My Account    Legal Info    Search BareMetal

Copyright 1996-2012, BareMetal.com Inc.
Last updated: Thursday, 28-May-2015 16:15:00 PDT
Last Accessed from: No-one!
Questions and comments to support@baremetal.com