climagic Logo climagic

On suso.org, CGI scripts (usually written in Perl, Python or Shell scripting) are run in a special way that allows the programs to be run as your user id instead of run by the webserver's user id. What this means is that your CGI programs will be able to read and write files the same way as if you were logged into the server through SSH. But this enhancement comes with the price of security. The program that makes this possible is called suexec and is a standard part of the Apache web server. You don't have to do anything to use suexec because its already setup on your account. There is a file called .htaccess in your base www directory that has the command 'Options +ExecCGI' in it. This is what turns on suexec for your website.

When suexec runs one of your CGI programs, it goes through a series of checks to make sure that it is safe to do so. This includes the following, which are the most common problems that people run into:

  • Is the directory containing the program within your webspace?

The program must be within your allocated webspace. Your webspace is defined as:

  • Is the directory where the script is located owned by your user id?

Your user id is Template:Your username and your group id is Template:Your groupname, the CGI program that you are running must be owned by that user and group. If they are not, you might be able to change their ownership by running:

chown username:groupname filename.cgi

Note: You may need to ask us to do this for you the above command fails.

  • Is the directory where the script is located writable by anybody else?

The directory where your CGI program resides must not be writable by the group or other classes. You can ensure that this is the case by running this command on the directory:

chmod go-w filename

For a more in depth discussion of permissions under a Linux system, please read Linux Filesystem Permissions.

  • Is the program writable by anybody else?

The program itself can also not be writable by the group or other classes. To ensure that they are not, run this command on the CGI program itself:

chmod go-w filename

For a more in depth discussion of permissions under a Linux system, please read Linux Filesystem Permissions.

  • Is the program setuid or setgid?

Most people will not run into this issue, but just know that you cannot set the suid or sgid bits on your CGI programs. They will already run as you so there is really no point to do so.

  • Does the user own the file?

You need to make sure that the CGI program is owned by your own user and group ids. It is possible that these have been changed during some administrative operation that we have run. If so, please contact us to have this fixed.

There are actually several more checks that suexec goes through, but they don't need to be mentioned here. For a complete list, check out Apache's documentation on the suexec model.