Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CGI-WRAPPER(1)		    General Commands Manual		CGI-WRAPPER(1)

       cgi-wrapper - run CGI programs in a secured environment

       The  CGI-wrapper	can be used to run certain CGI programs	with a differ-
       ent userid then the webserver's userid. To function properly, the  CGI-
       wrapper binary needs the	su-bit.	To prevent abuse, it has the necessary
       security	checks.	The CGI-wrapper	can only be executed by	 the  Hiawatha
       webserver. It uses the Hiawatha PID-file	for this verification.

       The  CGI-wrapper	 can be	configured via the configuration file /usr/lo-
       cal/etc/hiawatha/cgi-wrapper.conf. The following	options	are available:

       CGIhandler = <CGI handler>[, <CGI handler>, ...]
	      Normally,	only files inside the WebsiteRoot  will	 be  executed.
	      CGI-handlers are usually not inside this directory. Use this op-
	      tion to specify binaries that are	outside	 the  WebsiteRoot  and
	      the CGI-wrapper is still allowed to execute.
	      Example: CGIhandler = /usr/bin/php4-cgi

       Wrap  =	<wrap_id>;<path>|~<username>;<userid>[:<groupid>[,  <groupid>,
	      Via a Wrap-entry,	you can	control	the CGI-wrapper. The <wrap_id>
	      is  used	to  'bind'  it to a virtual host. See CGIwrapId	in hi-
	      awatha(1)	for more information.
	      The second option	specifies the rootdirectory of	the  CGI  pro-
	      gram:  it	 must be located with in this directory	or a subdirec-
	      tory. Specifiy a complete	path or	use  the  homedirectory	 of  a
	      user  + "/public_html/" by specifing it's	username preceded by a
	      '~'. In case of a	complete path, it's advisable to use the  Web-
	      siteRoot of the associated virtual host. When you	specify	a com-
	      plete path, you can replace one slash by a pipe-sign.  The  part
	      before  the  pipe-sign will be used for chroot. Be carefull with
	      using chrooted CGI's in combination with UserWebsite  and	 Alias
	      (see hiawatha(1) for more	information about these	options).
	      The  last	 options are userid and	groupid	of the CGI process. If
	      the groupid is omitted, it will be looked	up in /etc/passwd  and
	      /etc/group. The userid and groupid 'root'	are not	allowed	here.
	      Example: Wrap = test;/var/www/testsite;testuser
		       Wrap = jail;/usr/jail|sites/public;1001:101

	      The CGI-wrapper needs Hiawatha's pidfile to work.

	      Using  "CGIwrapId	 = some_id" and	"Wrap =	some_id;~hugo;hugo" is
	      the same as using	"CGIwrapId = ~hugo".

       Most of the parameters in cgi-wrapper.conf are already present  in  hi-
       awatha.conf.  The  reason  why  they have to be specified again and why
       they are	not being passed on by Hiawatha, is that when Hiawatha	has  a
       vulnerability,  because	of  a bug in an	external library of course :),
       the CGI-wrapper can't be	used to	execute	every program on the disk.  So
       it is done for a	security reason.

       The  CGI-wrapper	is part	of the Hiawatha	webserver. See hiawatha(1) for
       more information	about Hiawatha.

       Hugo Leisink <> -  https://www.hiawatha-web-



Want to link to this manual page? Use this URL:

home | help