CGI Security Documentation

CGIWrap Usage with AFS

CGIWrap can be used in AFS environments when directory permissions are configured correctly and administrators understand how unauthenticated script execution affects file access. This page explains the minimum permissions, AFS support option, and practical security behavior that matter in Unix CGI setups.

How CGIWrap Works in AFS Environments

CGIWrap will function with AFS as long as the required directory permissions are in place. In an AFS-based Unix environment, this matters because script execution depends not only on CGIWrap itself, but also on how directories are exposed for lookup and read access. The permission model must allow the web server and CGI execution flow to reach the relevant locations without granting broader access than necessary.

The following directory permissions are presented as a minimum working configuration. These values are intended to support CGIWrap operation in a typical AFS scenario while preserving the general security assumptions that come with running CGI scripts through a controlled wrapper instead of direct execution.

Directory User or Group Permissions
~ system:anyuser l
~/public_html system:anyuser l
~/public_html system:anyuser rl

If your HTTP server is running authenticated as a specific AFS user ID, you can replace system:anyuser with that user ID. This can provide a more targeted permission model, but it depends on how the server process is configured and how tightly you want file visibility constrained inside the AFS environment.

AFS Support and PAG Creation

When using CGIWrap with AFS, it is a good idea to enable AFS support during configuration by using --with-afs. This option causes CGIWrap to create a PAG for each launched script. The practical benefit is isolation: if a script performs a klog, that authentication state does not spill over to the server process or to other running scripts.

That behavior makes the AFS option especially important for shared environments, multi-user systems, or any Unix server where administrators want cleaner separation between script activity and the web server’s broader security context.

Unauthenticated Script Access

A key point when using CGIWrap with AFS-based accounts is that scripts are run unauthenticated. In practice, that means files accessed by the script are treated as being accessed by system:anyuser. This affects what the script can read and, just as importantly, what it cannot modify.

In most cases, unauthenticated execution means the script will not have write access to the user’s directory. That limitation is important to understand before deploying CGI applications in AFS, because application behavior may appear broken if the script expects to create, update, or manage files in locations that are not writable under system:anyuser.