CGI Security Documentation

CGIWrap Comments from Administrators

This page collects administrator remarks and historical feedback about CGIWrap from people who used it in real Unix and web hosting environments. These comments help show how the tool was perceived in practice, especially in areas like secure CGI execution, script ownership, debugging, and day-to-day server administration.

Beyond technical documentation, administrator impressions add useful context because they highlight what mattered most in production use. Performance, simplicity, accountability, and safer script handling all appear repeatedly in the feedback, which helps explain why CGIWrap remained relevant in shared and multi-user CGI setups.

Administrator Feedback and Reviews

The comments below preserve user perspectives on CGIWrap as a practical Unix CGI security utility. To make them easier to read, they are styled more like personal testimonials while still retaining the original substance of the administrator feedback.

AD

Administrator Feedback

Server administrator review

★★★★★

I just thought I would drop you a note, saying that I absolutely adore cgiwrap.

Prior to now, I had been using Apache suexec. To be blunt, suexec is a disgusting piece of crap. ...snip... I literally had to re-code parts of suexec to get it to work under my server configuration ...until I encountered cgiwrap.

Your product works flawlessly, and fits my every need. It's extraordinarily fast, and it's simplicity makes it an awesome pre-requisite for any webmaster who wishes to run scripts in a secure environment.

The best part about cgiwrap is it's simplistic, yet useful, ability to redirect stderr to stdout. With so many CGI scripts available, and so many written in different environments, it's about time something came along which could make the debugging process as simple as cake.

Thank you for cgiwrap.

“Where is fancy bread? In the heart, or in the head?” - WW
SA

Administrator Commentary

Unix hosting perspective

★★★★☆

It is inherently impossible to provide total protection, but there is a nifty little utility called cgiwrap that can help.

This method has several advantages. It runs the CGI script as your userid, not as some server-defined userid. Assuming you are an ordinary user, this reduces the risk of damaging the system while increasing the risk of mucking up your own files. That tradeoff is precisely what many admins on big sites want; it shifts the risk from a badly written script onto its author, rather than the sysadmin.

Also, the fact that it runs as you means that if you do something dumb or nasty with it, the administrators have a better chance of determining who is responsible. If a CGI script hangs and fails to die, you can kill it yourself; if it runs as some special userid then only the system administrator can kill it should it run amuck.

It also does some security checking for common holes. For instance, it checks that the owner of the directory where the script is found also owns the script. If you call cgiwrap as cgiwrapd then you'll get special debugging output; I've found this extremely helpful in testing.

Nothing is bulletproof, but cgiwrap clearly offers meaningful help in controlling CGI risk and making script ownership more accountable.

Historical administrator observations on CGI security and accountability

Together, these comments reinforce some of CGIWrap’s most practical strengths: running scripts under the responsible user account, improving accountability in shared environments, adding checks around common CGI security issues, and offering debugging behavior that made testing more manageable for administrators.