Overview
All CGI and FastCGI requests operate as the owner of the file and require heightened security to limit malicious behavior. There are a few guidelines that must be adhered to when a CGI or FastCGI script, ending in .cgi, is accessed on your hosting account:
- File permissions must be 755 (u=rwx,g=rx,o=rx)
- Group, Other cannot have write permissions to inject unsafe code into your CGI script
- Other (web server) must be able to access the file before
- Directory permission of the folder in which the CGI script resides must be 755 (u=rwx,g=rx,o=rx)
- Group, Other cannot create other files in the directory that may be sourced as CGI scripts
- Other (web server) must be able to open the directory to satisfy the request before wrapping with suEXEC
- File owner must match directory owner
- Prevents injection of arbitrary CGI scripts by other users into the same directory (see #2 above)
- File must be executable from the shell
- suEXEC runs script in its process space via a execve system call
Permission changes may be made either via FTP or Files > File Manager within the control panel. To evaluate whether a script works from the shell, it should consist of a shebang at the start of the file, generally in the form #!/usr/bin/exec args. Examples of common shebangs include:
- Python:
#!/usr/bin/env python - PHP:
#!/usr/bin/php -q - Perl:
#!/usr/bin/perl - Bash (shell script):
#!/bin/sh
Note: these all have #! in common on the first line. This notation is called the “shebang” and follows the pattern: <shebang><path to executable> followed by a Unix-style newline (n). If a shebang follows with a Mac or Windows-style EOL marker (r and rn respectively), the script will fail. EOL markers may be changed within the control panel.