GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CGI-WRAPPER(1) FreeBSD General Commands Manual CGI-WRAPPER(1)

cgi-wrapper - run CGI programs in a secured environment

The CGI-wrapper can be used to run certain CGI programs with a different userid then the webserver's userid. To function properly, the CGI-wrapper binary needs the su-bit. To prevent abuse, it has the necessary security checks. The CGI-wrapper can only be executed by the Hiawatha webserver. It uses the Hiawatha PID-file for this verification.

The CGI-wrapper can be configured via the configuration file /usr/local/etc/hiawatha/cgi-wrapper.conf. The following options are available:
CGIhandler = <CGI handler>[, <CGI handler>, ...]
Normally, only files inside the WebsiteRoot will be executed. CGI-handlers are usually not inside this directory. Use this option to specify binaries that are outside the WebsiteRoot and the CGI-wrapper is still allowed to execute.
Example: CGIhandler = /usr/bin/php4-cgi

Wrap = <wrap_id>;<path>|~<username>;<userid>[:<groupid>[, <groupid>, ...]]
Via a Wrap-entry, you can control the CGI-wrapper. The <wrap_id> is used to 'bind' it to a virtual host. See CGIwrapId in hiawatha(1) for more information.
The second option specifies the rootdirectory of the CGI program: it must be located with in this directory or a subdirectory. Specifiy a complete path or use the homedirectory of a user + "/public_html/" by specifing it's username preceded by a '~'. In case of a complete path, it's advisable to use the WebsiteRoot of the associated virtual host. When you specify a complete path, you can replace one slash by a pipe-sign. The part before the pipe-sign will be used for chroot. Be carefull with using chrooted CGI's in combination with UserWebsite and Alias (see hiawatha(1) for more information about these options).
The last options are userid and groupid of the CGI process. If the groupid is omitted, it will be looked up in /etc/passwd and /etc/group. The userid and groupid 'root' are not allowed here.
Example: Wrap = test;/var/www/testsite;testuser Wrap = jail;/usr/jail|sites/public;1001:101

The CGI-wrapper needs Hiawatha's pidfile to work.

Using "CGIwrapId = some_id" and "Wrap = some_id;~hugo;hugo" is the same as using "CGIwrapId = ~hugo".

Most of the parameters in cgi-wrapper.conf are already present in hiawatha.conf. The reason why they have to be specified again and why they are not being passed on by Hiawatha, is that when Hiawatha has a vulnerability, because of a bug in an external library of course :), the CGI-wrapper can't be used to execute every program on the disk. So it is done for a security reason.

The CGI-wrapper is part of the Hiawatha webserver. See hiawatha(1) for more information about Hiawatha.

Hugo Leisink <hugo@hiawatha-webserver.org> - https://www.hiawatha-webserver.org/

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.