O'Reilly logo

Web, Graphics & Perl/Tk Programming by Jon Orwant

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 18. Securing Your CGI Scripts

Lincoln D. Stein

Tip

Since this article was written, a new module has become available: Roland Giersig’s Expect.pm, available on CPAN. I recommend it over both chat2.pl and Comm.pl; not only is it a full-fledged module, but it uses IO::, which renders Lincoln’s workaround in the section Oops unnecessary.

I like to keep my CGI scripts puny and weak, and you should too. CGI scripts are a gateway into your system from the Internet, and are, unfortunately, all too often exploited by unscrupulous people for nefarious ends. The more access a CGI script has to your system, the more dangerous it becomes when used for unintended purposes.

To keep CGI scripts under control, most webmasters, myself included, run the web server under an unprivileged user account. On Unix systems, this is often an account called nobody. On Windows, it’s an anonymous account with guest logon access. On correctly configured systems, the web server user account has even fewer privileges than an ordinary user. It doesn’t own a home directory, have a shell, or even have the ability to log in as a normal user.

Under most circumstances you’ll never notice the fact that CGI scripts run as an unprivileged user. However, sometimes this fact becomes inconvenient. For example, what if you want to give remote users read/write access to their home directories from across the web, allow web access to a database that uses account privileges for access control, or perform administrative tasks ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required