DRH Internet Inc.
Website hosting technical support library
Prerequisites

It will be helpful to understand these concepts before reading this article:

The problem

By default, CGI scripts run with the lowest possible privilege level on a system, running as the user "nobody". This protects the system from intrusion when a script is compromised.

This low privilege level causes a problem when the script needs to write or create files - such as a guest book script, a forum script, or anything that needs to write information to a log file. The problem is that the files are owned by the UNIX user of the web hosting account (this is your login username), but the program is running as "nobody" which does not have permission to write to your files.

The wrong solution

Most often the problem is solved by changing the permissions of the required files so that everyone on the system - including the "nobody" user - has permissions to write them. If you are installing a CGI script you downloaded from another website, most likely you are instructed to do this.

Specifically, any files are "chmod-ed" to permission 666 and any directories to permission 777. (For more information on what this means see the UNIX permissions document.)

This method is inherently insecure because you are giving everyone on the system permission to modify and delete your files. This leaves them open to attack from any other user on the system.

The solution with .cgi-set

The correct solution is to elevate the script's privilege level and have it run as your UNIX login user. Instead of the script running as the "nobody" user which can not write your files, have the script run as your UNIX user.

Your UNIX user (the username you were assigned when your hosting account was setup) has full access to your files. The CGI script running as your UNIX user therefore has access to your files without any special modifications of their permissions.

To have a CGI script run as your UNIX login user, simply use the ".cgi-set" extension instead of the standard ".cgi" extension.

PHP scripts can also run as your UNIX login user by using the ".php3-set" extension instead of the standard ".php3" extension.

Security requirements to use .cgi-set

Before a ".cgi-set" or ".php3-set" program is run a number of security requirements must be satisfied. If you have been playing around with the permission of files and directories it is possible that you may break one of these requirements and receive a "500 internal server error" error message.

These requirements should be naturally fulfilled with no action on your part. Problems only happen when you change a setting that you shouldn't have changed. So, you can usually get started using ".cgi-set" without having to fully read and understand these requirements.

Here is the list of requirements:

  • The directory containing the CGI script must not be writeable by group or others.
  • The directory containing the CGI script must be owned by your UNIX login user.
  • The CGI script must not be a symbolic link.
  • The CGI script must not be writeable by group or others.
  • The CGI script must have the setuid and setgid flags turned off.
  • The CGI script must be owned by your UNIX login user.
  • The CGI script must be executable by your UNIX login user.
  • The CGI script must be inside the home directory of your UNIX login user.
If any of these requirements are not satisfied, then the execution of the program from the web server will fail.

Something like the following will be logged in the server error log:

    [Fri Jan 12 16:50:14 2001] [error] [client 24.180.201.116] Premature end of script headers: /web/d/r/drhis/home/hello_world.cgi-set
And a web page will be created saying:

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, webmaster@yourname.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
    More information about this error may be available in the server error log.
Unfortunately the actual cause of the error is not logged anywhere that you can see it, and the exact same error messages will show with many problems in your script itself. If you can't pinpoint the problem, give technical support a call and we can look into things for you.

In addition, it may be important to know that the environment for any ".cgi-set" scripts is cleaned out to only the standard keys to prevent any malicious data from being passed.