CGI/SSI technologies

Using CGI/SSI technologies in web services (users.jyu.fi/groups.jyu.fi).

CGI/SSI

This document contains information about using CGI and SSI on the server for services hosted on groups.jyu.fi and users.jyu.fi.

In the server for group and user personal pages, suexec is used for executing CGI scripts in the users’ home directories. Execution of CGI scripts is allowed only in the cgi-bin subdirectory (and its subdirectories) of the www pages. Therefore, all CGI scripts should be placed there.

If you want to use cgi- scripts, follow these steps:

1. Create a directory named cgi-bin under your homepage where you’ll place your CGI scripts.
2. Regardless of the programming language used, the script file extension should be .cgi.
3.  At the beginning of the script file, specify the interpreter through which it will be executed. Examples:
   
   1. For Bash scripts: #!/bin/bash
   2. For Python scripts: #!/usr/bin/python
   3.  For Perl scripts: #!/usr/bin/perl
4. Verify the file permissions according to the suexec requirements.

The most common problems caused by suexec:

There are documents on the Apache website:

http://httpd.apache.org/docs/2.4/suexec.html

http://httpd.apache.org/docs/2.4/mod/mod_include.html

suEXEC is a feature of the Apache HTTP Server that allows the execution of CGI (Common Gateway Interface) and SSI (Server Side Includes) programs with different user rights.

In practical terms, this means that CGI/SSI programs located in a user’s home directory are executed with that user’s privileges.

Because suEXEC is designed to improve server security, suEXEC has built-in strict requirements for file permissions, etc.

• The owner and group of the directory containing the executable file must match the user’s (uid/gid). You can retrieve this information on a Unix-based system using the "id" command.
• The owner and group of the file being executed must be the same as the user running the file.
• No one other than the user/group may have write access to this directory and the executable file.
• The <!--#exec cmd="command"--> used in SSI pages (*.shtml) is very strictly limited when using suEXEC. The command to be executed must not contain spaces or other special characters, but the "command" is interpreted as a single command. In addition, the "command" must be found in the same directory as the shtml page containing the command.

If you need to execute multiple commands or pass parameters to the command, create a separate command file. Then, use the cmd="..." attribute to specify the name of the command file.

For example, cmd="echo Testing cmd" will not work, but "echo Testing cmd" must be put in a file (e.g. command.sh) and change 'cmd' to 'cmd="command.sh"'. In addition, the command.sh file must be given execute permission (e.g. chmod +x command.sh).

SELinux and how to consider it

Note that in addition to the suexec restrictions above, the server has selinux restrictions. SELinux (Security Enhanced linux) is a technology that enables rule-based access control. Most of the time you don't need to worry about these as it just enforces suexec restrictions but occasionally permissions can go wrong. This technology is used on the {users, groups}.jyu.fi servers. In practice, this is shown to users by marking files of a certain type that the web server is allowed to operate on.

The base type for web files is httpd_user_content_t, while executable programs (scripts) follow the format httpd_user_script_exec_t. For example, the type for .htaccess files is httpd_user_htaccess_t. In this context, we also refer to the SELinux context, which includes not only the type information mentioned earlier but also role information and, optionally, multi-level security (MLS). In English, these concepts correspond to Role-Based Access Control (RBAC), Type Enforcement (TE), and, optionally, Multi-Level Security (MLS).

When examining individual file details (using the -Z option to display SELinux information):

> ls -lahZ index.html
-rw-rwxrwx. testuser users unconfined_u:object_r:httpd_user_content_t:s0 index.html

At the beginning, you see the file permissions in the form of user, group, and others’ rights (in rwx format). These indicate read, write, and execute permissions for the file. Then comes the selinux context format user:role:type:level syntax

More about file permissions in linux: https://linux.fi/wiki/Tiedoston_oikeudet

Executable files can only reside in the user’s cgi-bin directory due to Apache’s suexec requirement. Additionally, an executable file must have the type httpd_user_script_exec_t and execute permission enabled. Usually, SELinux context is automatically set correctly, but not always.

The only way to verify and correct the situation is to deactivate the web account activation on salasana.jyu.fi and then reactivate it. This operation will perform a check on the user's home page files and fix any problems.

The Selinux context can also be edited with the chcon command by first giving it a completely new selinux- context and then the name of the file whose selinux- context is being edited, for example the k.txt file below:

> ls -Z k.txt
-rwxr-xr-x. testuser users system_u:object_r:httpd_user_content_t:s0 k.txt
> chcon system_u:object_r:httpd_user_script_exec_t:s0 k.txt
> ls -Z k.txt
-rwxr-xr-x. testuser users system_u:object_r:httpd_user_script_exec_t:s0 k.txt

These changes made with the chcon- command are not retained after reactivation. So it is suitable for testing if you suspect a selinux problem.

Read more about selinux:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index