[Security] CGI problem solved

root root@gate.polarhome.com
Wed, 23 Jan 2002 15:52:49 +0100 (CET)


polarhome found "some kind of solution" for perl and CGI abuse problem. 
>From now on, CGI is enabled just for trusted (shell) users. All other 
users (with just ftp account) can not execute CGI scripts. 
More to read about differences between shell and ftp users in shell policy 

How does it work now?
We changed the CGI wrapper on FreeBSD and Linux box. Instead of suEXEC we 
use CGIWrap that allows ACL (access control lists), process and 
environment limits and CGI debug as well. With this method registered 
users got a much more open and safer CGI environment, but "anonymous" non 
registered users lost CGI execution.
PHP is available to all users in safe mode.
More to read about CGIWrap at 

Users can not feel the difference. it is absolutely transparent to users 
so you can execute your CGI as earlier (in example I will use user Anna's 
CGI extensions at polarhome realm are: cgi, pl, py, tcl

Execution: http://www.polarhome.com/~anna/cgi-bin/testcgi.pl 
or http://www.polarhome.com/cgi-bin/cgiwrap/anna/cgi-bin/testcgi.pl 

It is possible to debug your script with:
(cgiwrapd instead of cgiwrap in URL)

Otherwise it is possible to debug through log files at: