Sun Java System Web Server 6.1 SP11 Programmer's Guide

ProcedureTo create custom execution environments for CGI programs

  1. Log in as the superuser.


  2. Create the private directory for Cgistub:

    cd server_root/https-instance

    mkdir private

  3. Copy Cgistub to the private directory:

    cd private

    cp ../../bin/https/bin/Cgistub .

  4. Set the owner of private to the server user:

    chown user .

  5. Set the permissions on private:

    chmod 500 .

  6. Set the owner of Cgistub to root:

    chown root Cgistub

  7. Set the permissions on Cgistub:

    chmod 4711 Cgistub

  8. You can give each reference to the send-cgi SAF in obj.conf a user parameter. For example:

    Service fn="send-cgi" user="user"

    You can use variable substitution. For example, in server.xml add a VARS subelement to VS (virtual server) element.

    <VARS user="user"/>

    This lets you write the send-cgi SAF line in obj.conf as follows:

    Service fn="send-cgi" user="$user"

    For more information about send-cgi in the obj.conf file and server.xml, see the Sun Java System Web Server 6.1 SP11 Administrator’s Configuration File Reference.

  9. Restart the server to update the changes into effect.

    Note –

    Installing Cgistub in the server_root/https-instance/private directory is recommended. If you install it anywhere else, you must specify the path to Cgistub in the init-cgi function in magnus.conf. For details, see the Sun Java System Web Server 6.1 SP11 NSAPI Programmer’s Guide.

    Note –

    It is not possible to install the suid Cgistub program on an NFS mount, you install your server instance to a local file system.

    Cgistub enforces the following security restrictions:

    • The user the CGI program executes as must have a uid of 100 or greater. This prevents anyone from using Cgistub to obtain root access.

    • The CGI program must be owned by the user it is executed as and must not be writable by anyone other than its owner. This makes it difficult for anyone to remotely execute programs.

    • Cgistub creates its UNIX listen socket with 0700 permissions.

    Note –

    Socket permissions are not respected on a number of UNIX variants, including current versions of SunOS/Solaris. To prevent a malicious user from exploiting Cgistub, change the server’s temporary directory (using the magnus.conf TempDir directive) to a directory accessible only to the server user.

    After you have installed Cgistub you can create custom execution environments by doing the following, as described in this section: