About forms and CGI scripts on IU's web server

On this page:

Overview

CGI programs and scripts are executable; if you have one, you are allowing anyone in the world to run a program on your computer. Because of the potential security risks, users with web pages on the UITS Pages web server may not use CGI scripts.

CGI programs are permitted on the IU central web server (Sitehost). Such programs must adhere to UITS's Network Information Services guidelines for information providers.

For information about obtaining an account on Sitehost see Request Sitehost accounts.

Set up CGI scripts on Sitehost

To run CGI scripts from your account on Sitehost:

  1. Name your script so that it ends with a .cgi or a .pl extension. Scripts without one of these extensions will not run on Sitehost.
  2. Put the script in your web directory or any subdirectory of your web directory.
  3. Set the permissions of the script to read, write, and execute for the owner only. To do this, move to the directory where your script is stored and, at the command prompt, enter: 
     chmod 700 scriptname

    Replace scriptname with the name of your script. For more on the chmod command, see Manage file permissions on Unix-like systems.

  4. Make a link to your CGI script from a web page, or use the action attribute in the <form> tag of a form that submits information to your CGI script. As with your other files on the server, you don't need to include the web directory within the URL for your script. The URL of your script will be in the following form: 
    https://account.sitehost.iu.edu/subdirectory/scriptname

    Replace account with the group account username, and if your script is in a subdirectory of web, replace subdirectory with the name of the subdirectory of your script. Replace scriptname with the name of your script.

  5. Test your script to make sure it is working properly.

Alternatives to CGI programs

You may not need a CGI program to complete certain tasks. Consider the following options:

  • You can use Java applets; see Java on IU web servers
  • You can limit who has access to your web pages.
  • You can use links to online utilities hosted by other sites, such as guest books and counters. Searching the web will return many useful links.

Run as owner

On Sitehost, CGI scripts execute with the permissions of the script owner (you); this is quite different from many web servers on which CGI scripts run with the permissions of the web server account.

The authors of many of the CGI scripts available on the internet recommend that you make world readable and writable any files that your CGI script reads from or writes to. Do not follow this advice for CGI scripts that you run on Sitehost. Your script executes with your permissions, so it can read and write to your files without having to make these files world readable or writeable. Instead, you should remove world read and write privileges on these files to help prevent them from being maliciously overwritten or deleted.

This is done by using the aforementioned command:

chmod 700 scriptname

In that command, the 7 is changing the file permissions for the owner to read, write, and execute. The first 0 sets the group's privileges to have no access, and the second 0 sets privileges of others to having no access as well.

Less restrictive file permissions for CGI scripts, such as giving the group or other access to run the script, can make your site vulnerable to attacks from malicious actors, as such settings will enable the malicious actors to search, find, and run the CGI script.

Restrict access to your CGI script

To restrict access to your CGI script, set up an .htaccess file, as you would for any of your web pages; see Control web page access for Pages or Control web page access to Sitehost.

This is document agrs in the Knowledge Base.
Last modified on 2023-06-28 12:08:18.