1. Home
  2. CGI & Passenger
  3. CGI and FastCGI permissions

CGI and FastCGI permissions

Overview

All CGI and FastCGI requests operate as the owner of the file and require heightened security to limit malicious behavior. There are a few guidelines that must be adhered to when a CGI or FastCGI script, ending in .cgi, is accessed on your hosting account:

  1. File permissions must be 755 (u=rwx,g=rx,o=rx)
    • Group, Other cannot have write permissions to inject unsafe code into your CGI script
    • Other (web server) must be able to access the file before
  2. Directory permission of the folder in which the CGI script resides must be 755 (u=rwx,g=rx,o=rx)
    • GroupOther cannot create other files in the directory that may be sourced as CGI scripts
    • Other (web server) must be able to open the directory to satisfy the request before wrapping with suEXEC
  3. File owner must match directory owner
    • Prevents injection of arbitrary CGI scripts by other users into the same directory (see #2 above)
  4. File must be executable from the shell
    • suEXEC runs script in its process space via a execve system call

Permission changes may be made either via FTP or FilesFile Manager within the control panel. To evaluate whether a script works from the shell, it should consist of a shebang at the start of the file, generally in the form #!/usr/bin/exec args. Examples of common shebangs include:

  • Python: #!/usr/bin/env python
  • PHP: #!/usr/bin/php -q
  • Perl: #!/usr/bin/perl
  • Bash (shell script): #!/bin/sh

Note: these all have #! in common on the first line. This notation is called the “shebang” and follows the pattern: <shebang><path to executable> followed by a Unix-style newline (n). If a shebang follows with a Mac or Windows-style EOL marker (r and rn respectively), the script will fail. EOL markers may be changed within the control panel.

See Also

Permission overview

Updated on March 7, 2021

Related Articles