What is cgiwrap?
Cgiwrap is a “script wrapper” program that allows people to use CGI scripts while removing the risk of output files being harmed if another pair Networks user account has been compromised.
As an added benefit, cgiwrap can also make the standard error output of your scripts visible through your Web browser, which is useful for debugging purposes.
When should cgiwrap be used?
You should use cgiwrap when you need a program to be able to read and write files under your username or when you want to hide files from other pair Networks customers on your server (particularly if you have sensitive files on the server that contains passwords, proprietary data, etc.).
While using cgiwrap on sensitive files offers a level of security against casual browsing of your files, it also has the potential of leaving all your files vulnerable if your files that have been “wrapped” using cgiwrap were compromised. If a script that you have wrapped is compromised, then the hacker would have access to run programs and delete and modify files from your username, allowing virtual access to all of your files. Bottom line: using cgiwrap will enhance the security of the wrapped file but will potentially increase the risk to non-wrapped files.
While there are benefits of using cgiwrap to secure your sensitive data files, you just need to make certain that the scripts themselves are securely written.
Please note that if you use cgiwrap on many of your files, this could cause a slow down in server performance and thus a potential slowdown in the performance of your Web site.
One reason people use cgiwrap is to hide sensitive information such as passwords. One way of hiding passwords is to change permissions for certain files.
To hide passwords, you must set the permissions for the file that includes the passwords to “700.” Changing permissions can be done by using the “chmod,” or change modes, command. Please take a look at the example below to see how this is done:
chmod 700 example_file.txt
This sets the “owner” permissions to execute, read, and write, and takes away permissions for the “group” and “other.”
With the file set to 700, you could place the password directly into the file itself or place the login information into a file in your home directory. If you create a “login information file,” be sure to set the permissions for this file to 700 and include the file into the application that needs it.
For more information on file permissions, visit our Knowledge Base article:
cgiwrap looks in your cgi-bin directory, or subdirectories, for scripts. For security reasons, it will not look anywhere else. To execute scripts using cgiwrap, it must be owned by your pair Networks username and the default group (normally “users”).
To use cgiwrap with a script in your cgi-bin directory, you need to use a different URL. If the URL to your script is presently:
You need to rewrite the URL as follows to use cgiwrap:
then the URL to your script will run the non-debugging version of cgiwrap. Cgiwrap also has a special debugging mode, which you can use by replacing cgiwrap with cgiwrapd. Using cgiwrapd will cause environment variables and other information to be returned to the browser, along with the plaintext output of your script. This is often useful for tracking errors.
If you need assistance using cgiwrap on your scripts, you can contact our friendly support staff at firstname.lastname@example.org.
Important Note about cgiwrap URLs
If your pair Networks Web hosting account is on the Web server gamma, you must use http://www2.pair.com/cgi-bin/cgiwrap/… for the second URL above (you can use /cgi-sys/ as normal, however).
If your account is on the Web server epsilon, you must use http://www3.pair.com/…, and so forth for other servers. For this reason, it’s always a good idea to refer to cgiwrap and other system CGI with /cgi-sys/, which will always work.
To find out the name and corresponding number of your pair Networks server, please reference your Welcome Message or login to the ACC.