Technical Note - Personal CGI

Summary

ALERT! This document is for advanced users only

This document details how to get CGI access enabled on your account, and the environment in which it runs.

Details

Requesting CGI access

CGI access is granted on basis of need. Students and staff are able to request the ability by emailing jobs@ecs.vuw.ac.nz, specifying your specific need. We will also need to be confident you are fully aware of the risks involved.

Security Risks

The ECS server uses a program called CGIWrap to run CGI scripts within. This program runs scripts as you, which means the scripts have permission to do whatever you can do on our systems. This prevents unauthorised access to private files on our system, but does not protect files for which you have permission to access. This is a particular issue for staff; a poorly written CGI script could possible expose marking data or other private student information.

If you don't have a thorough understanding of the risks involved, don't run CGI scripts.

Directory setup

Personal CGI scripts must be in ~/public_html/cgi-bin with the permission to be accessed by you (chmod 700 ~/public_html/cgi-bin). The scripts themselves only need to be executable by you (chmod 700 ~/public_html/cgi-bin/*).

Authentication

You can use a CGI to have its own authentication, or utilise the ECS authentication system with .htaccess files or placing your CGIs in cgi-bin/auth. If you use the latter, you can check that Apache has set the MCS_USER variable. For example:

#!/usr/pkg/bin/perl
use CGI;
my $cgi = new CGI();
print $cgi->header;

if (! $ENV{'MCS_USER'}) {
   print "You don't have access";
   exit;
}

if ($ENV{'MCS_USER'} ne "fred") {
   print "Where's fred?";
   exit;
}

Wikis/Content Management Systems

Personal wikis, or other content management systems, must be secured from spammer access (ie. every method of getting data onto a page should be authenticated in some way). If a spammer has found your site, and it is open, it will become a spam trap. Of more concern, that spammer probably found their way there from Google, which will subsequently index advertisements for viagra and fake degrees on the vuw.ac.nz domain. Previous attacks remain in the Google index, despite having been subsequently cleaned up. Do not allow your web site to be abused in this way.

Alternatives to CGI

Our server is setup to also allow Server Side Includes (SSI) which can remove much of the hassle of coding HTML files, and may be more suited to your needs.

We also run PHP, which you may wish to use (see Personal PHP page).