How to to run cgi safely in dedicated server when many users are writing their own cgi scripts? I researched and found there is cgiwrap and sbox (SuExec also but many people speak against it)

Between sbox anc cgiwrap which one you found to be best, and what is bad about each?

I don't know why anyone would speak badly of suEXEC - we've used it for years with great results. It doesn't interefere with the normal operation of scripts, as some things like cgiwrap can.

suEXEC can be difficult to get working if you're not used to it, though - maybe that's what you've heard?

Originally posted by jonglenn
How to to run cgi safely in dedicated server when many users are writing their own cgi scripts? I researched and found there is cgiwrap and sbox (SuExec also but many people speak against it)

Between sbox anc cgiwrap which one you found to be best, and what is bad about each?

There's nothing at all bad about SuEXEC. As Travis said, as long as it's installed properly and ran properly. That's also not difficult to do. However, the other two alternatives you mentioned aren't bad choices either. CGIWrap has been around for a while. I don't know too much about SBox, but it sounds interesting and I believe Lincoln Stein wrote it -- I'm not sure though. I'd personally suggest using SuEXEC.

suEXEC is the way to go if you want the cgis your users run to be ran with their individual username instead of a general "www"

Theres actually just a few problems people have with suEXEC with CGIs , it is mostly permissions problems since suexec is VERY picky about file permissions like, all cgis have to be 755 and can't be owned by another stray user.

So its actually pretty easy to adapt, just have correct permissions.

Cool program.

Originally posted by ADW
suEXEC is the way to go if you want the cgis your users run to be ran with their individual username instead of a general "www"

Theres actually just a few problems people have with suEXEC with CGIs , it is mostly permissions problems since suexec is VERY picky about file permissions like, all cgis have to be 755 and can't be owned by another stray user.

So its actually pretty easy to adapt, just have correct permissions.

Cool program.

Of course, that's a good thing, to check to see what user owns the file. Also, you can (and should) set the permissions to 700 on CGI scripts. This also allows you to set the same (or less) on directories and not leave anything open to world read, write and execute. Of course, you know this, I'm sure, but I'm poisting it for the sake of the other viewers reading it. SuEXEC can create errors, but only on files that don't have the proper settings anyway -- which should be erroring at that point.

Yes - suEXEC enforces good security policy, which is a good thing - since you're presumably using it for security purposes in the first place.