Web Hosting Talk






PDA

View Full Version : Turnning CGI Wrappers off

tymonhall
08-11-2001, 03:25 PM
Hi, I am considering turning cgi wrappers off for a customer who need this to be done. My question is what are the security concerns if I turned it off for the whole server and is there I can turn it off for just their site and if so how?

Before anyone respond saying please do a search I already have and have not found anything to answer my questions.
huck
08-13-2001, 03:22 PM
First:
Why do they need the wrappers turned off? Most scripts should run with the wrappers on unless the scripts are accessing files or commands for which the user would normally not have access. If the scripts are giving errors while accessing the user's own files, then there is a scripting/permission error.

Second:
Make sure you trust the client's scripts. The scripts will now be ran as nobody, which means any script in that client's site will have the same access as the web server's uid, gid. Make sure that the necessary security has been put in place, ie. you trust the client.

Third:
To disable scripts, simply change the directive AddHander directive for that sites cgi-bin scripts.
For example, to remove the wrapper for .pl scripts, change:

AddHandler cgi-wrapper .pl

to
AddHandler cgi-script .pl

This would make all .pl scripts no longer subject to the cgi-wrapper.

A bit of a kludge....
I have one client who had to remove the cgi-wrapper for a program but otherwise wanted to use the wrapper for security reasons. I changed only the ".pl" handler to run without the wrapper. This way scripts ending in ".cgi" go through the wrapper but those ending in ".pl" do not.

If you want to remove the wrapper all together, then do a search, there are instruction on the board somewhere.
Gauss
08-14-2001, 09:07 AM
You can actually turn off cgi-wrap by directory with these instructions. You must telnet in as a user that has write permissions for the directory you want to disable cgi-wrap for.

Once your logged in create a file called .htaccess in the directory that you want to disable cgi-wrap for.

The .htaccess file should contain these lines:

Options +ExecCGI AddHandler cgi-script .cgi AddHandler cgi-script .pl

Save the file.

Any cgi that exist under that directory tree will not be executed by cgi-wrap.

HTH,
g.