Introduction

All users with a UNIX account can use a portion of their available disk space to run CGI scripts to enhance their web pages. The steps outlined below will show you how to run and maintain CGI scripts on your UNIX account. All users who elect to use this service are responsible for the impact of their scripts on the University’s Computing servers. Specifically, the following types of scripts are not allowed:

1. Any script that adds an excessive load.
2. Any script which compromises the security of our servers.

Use of either type of script will result in a warning message. Only one warning message will be sent. Upon a second violation, your CGI access will be suspended. Users also assume all responsibility for damage inflicted via their CGIs. Support is not provided beyond basic setup questions addressed in this document and server-related problems.

This document assumes you already have an active UNIX account and an understanding of basic UNIX commands. If you require additional information on accounts, see the "Accounts" section of the ITS web pages (see address above). For more information on basic UNIX commands, see the Quick Start titled "Common UNIX Commands" available in the "Documentation" section of the ITS web pages.

Creating a CGI Directory in Your Account with "startcgi"

To create your CGI directory, type startcgi at the command prompt from your home directory. This script creates a public_cgi subdirectory where your CGIs will be stored. (You need only to run this command once.)

Creating a Sample CGI

All CGI scripts must be placed in your public_cgi directory and named with a ".cgi" file extension. (Our CGI server will only recognize scripts that end with ".cgi" — i.e. not .pl or .exe...) In the example below, you will create a very basic script called "hello.cgi". Using the "pico" text editor (pico is a good editor for beginners), you will create a script which will simply print the words "Hello World!" in your browser window. To create this sample CGI, follow the instructions below.

1. Type pico public_cgi/hello.cgi at the command prompt.
2. Type in the script as shown below:

   #!/bin/sh

   echo "Content-type: text/plain"

   echo ""

   echo "Hello World!"

3. Hit Ctrl-X, then hit the Y and Enter keys to save your script.

You should now be back to the UNIX command line prompt.

Making Your Script Accessible with "setcgi"

To allow web browsers to view any newly created or uploaded CGI scripts, you must type setcgi at the command prompt. The setcgi command descends the public_cgi directory, if it exists, and sets the appropriate file permissions on the public_cgi directory and any subdirectories so that your CGIs will function properly.

Linking to Your CGI’s

Provided that you have followed the steps above properly, you can link to your scripts from a web browser by using the following address format:

http://cgi.albany.edu/~your_userid/script_name.cgi

For example: http://cgi.albany.edu/~ab1234/hello.cgi

Please remember:

1. Any time you add new scripts to your public_cgi directory, you must remember to run setcgi.

2. CGI scripts may only be linked to from albany.edu domain sites.

3. In order for scripts to execute properly they must be have a ".cgi" file extension.

Transferring CGI’s to a UNIX account

If you have already created CGI scripts and wish to move the files to your account via an Internet connection, please see the Quick Start titled "Using WS_FTP". (Note: You will still need to upload these files to the public_cgi directory on your account and then set the permissions appropriately by using the setcgi command.)

Writing/Securing CGI scripts

All CGI scripts are executed under the owner’s userid. Therefore, any script that you use will have access to all files and directories that your account has access to, and have the potential to modify or send messages in your name. With this in mind, security is an important issue when dealing with CGI scripts. Although it is difficult to guarantee that a script is entirely safe, it is important to examine scripts and understand their functionality. If you do not understand the language that a script is written in or do not understand exactly what the script does, you should not use it. Accordingly, you should be conscious of the following when writing or securing a CGI script.

1. Keep scripts as simple as possible. Do not introduce unnecessary language or use scripts that have unnecessary language, as these can often put undo stress on the system and introduce possible security risks.
2. Do not read or write files on the host system unless absolutely necessary and done in a controlled way. Scripts which read files may violate access restrictions you have put in place, while scripts that write files have the potential to damage documents or introduce other more hazardous files to the system.
3. Try to keep your script from interacting with many host programs, as this may increase system load and make unsecured information available.
4. Always validate user input from forms. Failing to checking form input can open many security holes.
5. Use absolute rather than relative pathnames, and do not rely on environmental settings. This is a good programming practice in general and can prevent several problems.
6. Do not execute user input, as scripts are commonly exploited in this manner.

CGI Creation Summary

• If preparing to use the CGI service for the first time, run startcgi to create your CGI directory (public_cgi).
• Create your script using a text editor, or upload an existing script. Remember that all scripts must reside in the public_cgi directory.
• Check your script for security using the guidelines above.
• Run setcgi to make your CGI accessible.
• Link to your CGI script at http://cgi.albany.edu/~your_userid/script_name.cgi

Resources for Writing CGI Scripts

Additional resources for writing CGI scripts are available at:

http://www.albany.edu/its/web/webresources.html

Information Technology Services Helpdesk, LC-27
(518) 442-3700

Submit a Help Desk Request at:

http://www.albany.edu/its/help/help-request.html