Executing CGI Scripts
Table of Contents
-
Introduction
Instructions for Using CGI
Running as Owner
Your Script's URL
Restricting Access to Your CGI Script
Introduction
A CGI (Common Gateway Interface) script is a computer program that the Web server executes in real time, therefore giving you the ability to deliver dynamic information on your Web pages. With CGI, you can collect user information through Web forms, access databases, and return dynamic information to the user's Web browser. For more information on CGI, see the Webmaster's "Tools and Guides" page.
Because CGI scripts on IU's central Web servers (Webserve) run with the permissions of the script owner, using CGI essentially allows people (most of whom otherwise do not have access to our Web servers) to run a program on the Web server as you. For this reason, your scripts do not need to be (and should not be) group or world readable, writeable, and executable. For more information, see "Running as Owner" below.
Instructions for Using CGI
To run CGI scripts from your Webserve account:
- Put the script in your www directory
or wwws (or www/wwws subdirectory) of your
account.
- Name your script so that it has either a .cgi or a
.pl extension (e.g., myscript.cgi, newscript.pl).
Scripts without one of these extensions will not run.
- Set the permissions of the script to read, write, and execute for the
owner only. The script will not run if it is writeable by group
or other. To do this, move to the directory where your
script is stored and use the Unix chmod command:
-
chmod 700 scriptname
-
Run the script at the command line to debug the script.
Note: When a CGI program (written in any language) is executed at the command line on Webserve, it may seem that it runs a bit slow. Webserve is physically the "publishing" server and NOT the backend webservers. The CGI application, if run as a CGI program via a URL, might execute more quickly than just running it on Webserve at the command line.
- Make a link to your CGI script from a Web page or the <ACTION>
field of a form that submits information to your CGI script (see "Your
Script's URL" below).
- Test your script to make sure it is working properly.
Running as Owner
On IU's central web servers (Webserve), CGI scripts execute with the permissions of the script owner (you); this is quite different from many web servers on which CGI scripts run with the permissions of the Web server account.
The authors of many of the CGI scripts available on the Internet recommend that you make world readable and writable any files that your CGI script reads from or writes to. Do not follow this advice for CGI scripts that you run on Webserve. Your script executes with your permissions, so it can read and write to your files without having to make these files world readable or writeable.
On the contrary, you should remove world read and write privileges on these files to help prevent them from being maliciously overwritten or deleted.
Your Script's URL
The URL (Web address) for your CGI script is similar to the URLs for your static Web pages:
http://www.indiana.edu/~username/subdirectory/scriptname for IUB users
http://www.iun.edu/~username/subdirectory/scriptname
for IUN users
http://www.iuk.edu/~username/subdirectory/scriptname
for IUK users
http://www.iupui.edu/~username/subdirectory/scriptname for IUPUI users
Restricting Access to Your CGI Script
Search tools such as Google Code Search make it simple to find Web sites vulnerable to attacks by enabling users to search for regular expressions, exact strings and even restrict their searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find. So you should not set the permissions of your cgi files 755.
To restrict access to your CGI script, you'll need to set up an .htaccess file, as you would for any of your Web pages. For more information on setting up .htaccess files on the central Web servers, see the Webmaster's Controlling Web Page Access document.
