ITS Web Resources
Secure CGI Pages with SUCGI
Creating secure Web sites with CGI programs requires attention to detail and some understanding of the possible risks. SUCGI is one tool to make it easier for Web developers on ITS-managed systems to secure their sites.
For CGI applications to upload (write) files to site folder(s), the file and/or directory access permissions almost always need to be set open enough for the application to do its work. Unfortunately, this also allows any user with access to the Web server to read and/or modify files. Website vandals take advantage of this exploit to modify both the user's own website and other sites on the same server.
With SUCGI, the file permissions can then be set so that only the user can read and execute the file, and the SUCGI page can write in any location where the owner can write.
Note: If you are working with PHP code, you should use a specific solution tailored for PHP. Please visit our SUPHP page.
Get Started with SUCGI
- Replace the
.plfile extension with the
- Make sure the file owner id matches your computing id.
- Set file permission(s) to allow read and execute access only by you (e.g.,
chmod 700 filename.sucgi).
Note: If you're using a package downloaded from the Internet, you will need to analyze the
files provided. Rename files
as mentioned above, and then go through all of the remaining code to replace references to
filename.pl with references to
- The CGI file must have the
- The file must be saved in the standard Web server document areas:
/www/doc_ssl/, the user's public_html directory, or sub-directories within these locations.
- The reference cannot be made via a symbolic link to the file.
- The file must have owner permission to read and execute set
chmod u+rx filename.sucgior
chmod 700 filename.sucgi).
- The file can allow writing by the owner and the owner's group subject to limitations below.
- The directory containing the file can be writeable by the owner and the group, but not by any other users.
- The file itself and the directory it is in must have matching group ownership. (When accessed by the Web server, the file will be run using the user and group ownership of the file). The user id that owns the file may or may not be the same as the id that owns the directory, but both must belong to the group that owns the file and directory.
- The file must not have UNIX file permissions set to force the user id or group id when run.
The user id and group id of the files and directories need to meet additional restrictions:
- The user id must be a member of the group id used.
- The user id cannot be in the list of administrative ids (those which have a numerical version of the id less than 500.)
- The group id cannot be in the list of administrative groups (those with have a numerical version of the id less than 100.
Managing Access Permissions and Ownership
- Permissions (read/write/execute) can be changed from the Home Directory Administrative Interface.
- User ownership can only be changed by the system administrator or by removing files and having the correct owner create them.
- Group ownership can be changed with the
chgrpcommand when logged into a UNIX server.
- If your standard UNIX group is usr (which is common for many users), you will need to create a new group with MyGroups. Add yourself as a member to that group.
Using SUCGI with NetBadge Authentication
If your CGI script is authenticated by NetBadge, then the user will be
required to login, but your CGI script will not recieve the user name in
$REMOTE_USER. This happens
because your script is run with unauthenticated SUCGI, which is the default. To fix this problem, you must put these
lines in your .htaccess file to use NetBadge authenticated SUCGI.
Action su-cgi-script /server-cgi/netbadge/sucgi PubcookieAppId sunetbadge
(remove any other PubcookieAppId lines)