cgi-wrap.c allows to execute CGI-scripts under a special uid/gid in a chroot environment. Unlike suexec, it does not execute arbitrary (user-)scripts but only programs which are installed and configured by the system-administrator. This allows to remove some restrictions of suexec without lowering security.
USERenvironment variable will be assigned to
USERwill be set
argv) will be checked for strange characters (non-alpha,...)
cgi-wrap.c is a single C file and can be downloaded here
cgi-wrap.c requires an individual configuration file for each cgi-bin directory and must be recompiled for each project. Therefore, a general installation-guide is very difficultly. Instead of, an example-installation for viewcvs is given.
In the first step, the target-project (viewcvs) should be installed accordingly its
documentation but without modifying the
ScriptAlias related http-configuration.
Non-public files (e.g. such ones with database passwords) should be readable by the service
group or user only but not by the user running the webserver. In our example, the service user
would be the user "
viewcvs" (see below).
It is recommended to do the same with the CGI-scripts; e.g. to make them readable/executable
by the service group only. In any case, the scripts must be owned by
root and not
$ ls -la /usr/share/viewcvs/cgi
drwxr-xr-x 2 root root 1024 Apr 11 22:37 .
drwxr-xr-x 6 root root 1024 Apr 11 22:37 ..
-rwxr-x--- 1 root viewcvs 1496 Apr 11 22:26 query.cgi
-rwxr-x--- 1 root viewcvs 1633 Apr 11 22:26 viewcvs.cgi
diet gcc cgi-wrap.c -DCGI_USERFILE=\"/etc/httpd/conf/viewcvs-wrap.conf\" -o viewcvs-wrap
-Os' after diet or '
-DNDEBUG' may be useful)
The first line "
60030" specifies the UID (on my system, this is the user
'viewcvs'). The second line "
60030 60009" means that the script will be executed
with a group-id of 60030 (group 'viewcvs') and the supplementary group 60009 (group
viewcvs" in the third line means that the
variable should be set to this string. This value is necessarily because a name-resolution is
often impossible in a minimal chroot environment and tools like
rcs are failing
when the username can not be determined.
The fourth line "
/" specifies the chroot-directory and the fifth one the directory
of the real CGI-scripts. In this case, viewcvs is not running in a chroot-environment, but there
are existing real configurations (e.g. for a Wiki-system or a MRTG statistic webfrontend) where
real chroot's will be used. How to create such a chroot environment is beyond the scope of this
mkdir -p /usr/local/lib/httpd/viewcvs
cp viewcvs-wrap /usr/local/lib/httpd/viewcvs/
chown root.apache /usr/local/lib/httpd/viewcvs/viewcvs-wrap
chmod 04510 /usr/local/lib/httpd/viewcvs/viewcvs-wrap
install -d /usr/local/lib/httpd/viewcvs
install -m4510 -o root -g apache viewcvs-wrap /usr/local/lib/httpd/viewcvs/
ln -s viewcvs-wrap /usr/local/lib/httpd/viewcvs/viewcvs.cgi
ln -s viewcvs-wrap /usr/local/lib/httpd/viewcvs/query.cgi
$ ls -l /usr/local/lib/httpd/viewcvs/
lrwxrwxrwx 1 root root 14 Apr 11 17:41 query.cgi -> ./viewcvs-wrap
-r-s--x--- 1 root apache 8928 Apr 17 11:51 viewcvs-wrap
lrwxrwxrwx 1 root root 14 Apr 11 17:41 viewcvs.cgi -> ./viewcvs-wrap
... mod_mime_magic: can't read `/usr/local/lib/httpd/viewcvs/query.cgi'
viewcvs-wrapexecutable can be made group-readable.
ScriptAlias /viewcvs/cgi-bin /usr/local/lib/httpd/viewcvs
Options +ExecCGI +SymLinksIfOwnerMatch
Clients can access the content through the URL
Enrico Scholz Last modified: Thu Jul 3 00:18:07 CEST 2003