Advanced CGI Topics: Know-how

infoCopter.com	retoh's Online Repository for myself and other Web Geeks
	home \| newsletter \| site map

Free Stuff

: links

: Neue Surf Tips

: know-how

: Zitate

: Spam Strike

: HTML Checker!

: Link Checker

: Cartoons

About IC

: friends

: lust und frust

: guestbook

: what's new

Advanced CGI Topics
	See also

Home :: Know-how :: Advanced CGI Topics

CGIWrap

CGIWrap is similar to the suEXEC program in that it permits user access to CGI programs without the risk of compromising server security. It does this by running any program defined as a CGI application as the file owner rather than the Apache user. CGIWrap also performs several security checks on the CGI application; the application will not be executed if any of the checks fail.

CGIWrap is written by Nathan Neulinger and available from the Unix Tools Web site.
http://cgiwrap.unixtools.org/

How to install on a common RedHat 7.x platform?

./configure --with-httpd-user=apache --with-install-dir=/var/www/cgi-bin
make install

try:
http://fhz.infocopter.com/cgi-bin/cgiwrap/wm1/helloworld.pl

you could rename cgiwrap to shorter the uri:
http://fhz.infocopter.com/cgi-bin/cw/wm1/helloworld.pl

Options of cgiwrap at compile time

--with-rlimit-cpu=SECONDS 
limit cpu time with setrlimit 

--with-rlimit-vmem=BYTES 
limit total virtual memory with setrlimit 

--with-rlimit-as=BYTES 
limit total available memory with setrlimit 

--with-rlimit-fsize=BYTES 
limit writable file size with setrlimit 

--with-rlimit-data=BYTES 
limit data segment size with setrlimit 

--with-rlimit-stack=BYTES 
limit stack segment size with setrlimit 

--with-rlimit-core=BYTES 
limit core file size with setrlimit 

--with-rlimit-rss=BYTES 
limit resident set size with setrlimit 

--with-rlimit-nproc=COUNT 
limit number of processes with setrlimit 

--with-rlimit-nofile=COUNT 
limit number of open files with setrlimit 

--with-rlimit-memlock=BYTES 
limit lockable memory with setrlimit

suEXEC

Apache comes bundled with its own security wrapper application called suEXEC. suEXEC allows users to run CGI and SSI programs as the owner of the site as opposed to the owner of the httpd process. Here's how suEXEC works. When a request is made for a CGI or SSI file not owned by the Apache user, the request is passed to suEXEC along with the program name and the owner's user/group ID. suEXEC then runs a series of checks to ensure the request is valid. If it is, the script is executed. If the request fails any of the checks, the script is not run and an error is logged.

For a complete list of all 20 checks performed by suEXEC, and for detailed installation/configuration instructions, see the Apache suEXEC Web site.

http://httpd.apache.org/docs/suexec.html

contact

Know-How home | Must Read | What's new? | iC Site Map
link search