Is there some way to have a cgi script run on the CS webserver as my own UID rather than the one belonging to the webserver software?

By default, CGI scripts running on our server execute as the web user www; this user has no special permissions. Thus, the directory in which the script resides must be world-searchable, the script must be world-executable, and files read or written by the script must be world-readable or world-writable.

In certain applications, you may prefer that a script execute with your Unix account permissions so as to access protected data. We provide a "Secure CGI" mechanism for doing this.

Warning: Please carefully weigh your need for this feature against the security risks of a script running with the full permissions of your user account. You are responsible for the use of that account, whether by your own hand, by someone using a workstation where you left yourself logged in, or by someone exploiting a poorly written script which you have made available on the Web. You may wish to review our policies.

The basic guidelines for setting up a secure CGI script are:

  • Full script pathnames should contain only printing ASCII characters. They should not contain relative path components.
  • Script directory should be searchable by the owner and have the same owner/group as the script file. They should not be writable by anyone other than the owner
  • Script files should be a regular file (not a symlink), be executable by the owner and have the extension ".scgi".They should not be setuid or setgid or writable by anyone other than the owner.

Other notes:

  • Non-parsed-header scripts may be used with the usual nph- prefix.
  • Access control directives (in a .htaccess file) will not work for a .scgi script. Normally, this is not a problem, since the script is typically the action associated with a form in a .html file, which can be access controlled. Of course, the script is at liberty to implement any authentication for itself that it chooses.