ENCSLab CGI Scripting Guidelines

Notes for CGI Scripts on joker.tamucc.edu

This message is intended to acquaint you with some of the things you need to know in order to run cgi-bin scripts from the www.sci.tamucc.edu web server.

  • Normally we configure the webserver so that CGI scripts run from a "cgi-bin" directory within a user's home directory (not the .html directory). At present each account must be individually enabled for cgi-bin scripting by the server administrators.
  • CGI scripts can be a major source of security leaks in any system. This is why we do not grant cgi-bin permission to everyone--the potential for security breaches is simply too high. The inherent problem with CGI scripts is that you're effectively allowing anyone on the Internet to activate a program on your server, and you don't have any control over what input they choose to send to your program. So, if you're not careful, you can end up writing a program that will allow a malicious user to gain access to the server resources.
  • The computer running the web server is joker.tamucc.edu.
  • The log files that show the results of executing your scripts are in /var/log/error_log and /var/log/httpd/access_log. These files sometimes give clues about why your CGI script isn't working properly.
  • Remember that CGI scripts run as the "nobody" user, not as the user that wrote the program. This has implications for file permissions. Remember also that your PATH and other environment variables are not automatically set for you.
  • A general word about CGI file security: remember that the input from a user should not be trusted; in particular, it's bad to use user-provided field values as the basis for generating filenames or as command-line options.
  • In order to ensure the continued operational stability and security of the system, the CAMSLab administrators reserve the right to examine your cgi-bin files at any time. If a serious security problem exists in your cgi-bin directory, the admins reserve the right to revoke cgi-bin permissions until the problems are resolved. Some things that are frequently checked:
    • Your home directory, cgi-bin directory, and all files within the cgi-bin directory and its subdirectories must have write permission turned *off* for "group" and "other" users.
    • All files in the cgi-bin directory (and its subdirectories) must be owned by the project account.
    • Your CGI scripts must be well-behaved; i.e., they should not leave any temporary files or subdirectories on the system.
    • Temporary files, if needed, should be created in /var/tmp, not "/tmp".
  • If your CGI script has an error in it, then when you attempt to access it via the web you'll get the dreaded "500 Internal Server Error" message. 99% of the time this message means that it's your script that's causing the error, and not the web server itself.