update 2004-DEC-13
Extensions to account policy for CGI scripts
The following extensions to the account policy apply to all accounts
and users who make CGI scripts available.
Users who install CGI scripts warrant that they understand the risks of
CGI scripts and have taken every reasonable precaution to minimize the risks.
Users agree not to make insecure scripts available, and to rectify and
indemnify other users and the department/university for damages caused by
such scripts whether the damage was intentional or not.
No user will install CGI shell scripts (sh, ksh, csh, etc.).
All Perl CGI scripts will use the "taint" feature (-T) available in Perl.
All CGI scripts are restricted to the user's cgi-bin directory unless
permission is granted otherwise by the system administrator.
Users agree that the system administrator may modify or delete any
CGI script without notice if in the opinion of the system administrator
the script may pose a security threat or as a precaution in the event
of perceived threats.
User agree not to leak sensitive or potential sensitive information about the
system or other users, such as process status, usernames, etc.
What are CGI scripts
CGI scripting is a way for a user to have code executed on the web server.
It is used to dynamically generate web pages, for example, in response to
web forms. CGI code is qualitatively different than ordinary user program
code, because it is run on the webserver machine (not your machine),
by the webserver (not your account) and for someone else (whoever
requested the web page).
CGI on www.cs.uleth.ca
Place CGI scripts in your ~/public_html/cgi-bin directory.
Such scripts must have extension .cgi or .pl.
Scripts should be locked down (permissions of rwx to user and no permissions
to anyone else). The webserver will refuse to run scripts with
insecure permissions (having write permission to anyone but the user).
These scripts will be run under your permissions, that is, anyone who has
access on the web to your script can run the script as if you were running
it. Numerous ways are known for comprising such scripts so as to produce
intended results, thus it is essential to carefully construct all such
scripts.
CGI on people.uleth.ca
Information Technology operates a CGI server on "people.uleth.ca" which also
hosts the personal home pages on home.uleth.ca. The following instructions
explain how to use their web server.
Telnet or ssh to "people.uleth.ca" and login using your user id and password
for the uleth.ca computers (same id and password as the ones you use
to read mail on @uleth.ca; e.g. "jane.doe").
Although strictly not necessary, make a place to store your CGI scripts:
mkdir cgi-bin
chmod 750 cgi-bin
chgrp webuser cgi-bin
Now create some cgi-scripts in the directory cgi-bin
The scripts must be owned by you, must have group "webuser", and should
have permission 750. For example, user jane.doe's script hello.cgi
should appear as like the following in a directory listing:
-rwxr-x--- 1 jane.doe webuser 66 Jan 15 16:28 hello.cgi
If the script does not have the right owner, group or permissions
the web server on people.uleth.ca will refuse to execute it.
Finally to access this script the URL is:
http://people.uleth.ca/~jane.doe/cgi-bin/hello.cgi
An example of insecure code
Example of an insecurity. The following innocent looking Perl code,
which takes a user e-mail address from a form and sends a reply to it,
is insecure.
$address = $FORM_INPUT{input_email_address};
open(MAIL, "|/usr/bin/sendmail $address");
Unless you have taken other precautions, user input of
"postmaster@uleth.ca && rm -r *"
may remove all your files.
