Does InsiderHosting support CGIwrap? (i.e. can I install my CGI scripts outside of the cgi-bin and have them execute as my account rather than nobody for a little extra security?) I'm gonna test this on my own anyway, just thought it might be nice to have something for others to refer to later if they have the same questions. :)

Hrm, so far it seems like cgiwrap is allowed ... excellent. :)

Also something to note is that with the way our server is setup with suEXEC installed, the scripts that people run in their cgi-bin's run as that user instead of running as nobody.

-Steven

I'm pretty ignorant when it comes to scripting, so I'm going to take this opportunity to ask a couple of questions.

Does the CGIwrap mean that I can run cgi scripts in any directory without having to do anything special?

Does the SuExec mean than I can run cgi scripts within the cgi-bin without having to change permissions?

Could you explain to me the security benefits of one over the other, assuming they are mutually exclusive.

Is it better to have cgi scripts inside the cgi-bin or outside, and why?

Originally posted by Aaron
Does the CGIwrap mean that I can run cgi scripts in any directory without having to do anything special?

Well, apart from setting the correct permissions for the cgi scripts and making sure that they are uploaded correctly, there's really no difference in setting them up inside or outside of the cgi-bin.

Does the SuExec mean than I can run cgi scripts within the cgi-bin without having to change permissions?

You still need to change permissions - changing the permissions insures that the operating system knows that the script is executable and doesn't just attempt to read the file.

Could you explain to me the security benefits of one over the other, assuming they are mutually exclusive.

Well, in my experience, there are a few benefits of cgiwrap. First, you don't need to make a directory/file world-writable for the script to be able to write it. World-writable files are bad. Second, most script kiddies check the cgi-bin for exploitable scripts - if you install your cgi scripts elsewhere, they will have to hunt harder to find them. (And thus, they are more likely to give up rather than hunt.) I know that security through obscurity isn't the best option, but it's better than nothing sometimes. :) For better security, you should always make sure that your cgi scripts are running at the most recent stable version. For best security, of course, you shouldn't run cgi at all, but well, it's still very useful.

Is it better to have cgi scripts inside the cgi-bin or outside, and why?

Depends on personal preference, really. In my case, I usually put single file scripts inside the cgi-bin (in its own separate directory) and larger scripts elsewhere. That's just the way I like to do it. Doesn't mean it's better or worse. :)

Thanks for that explanation. I appreciate you taking the time to answer all my questions.

I guess my concern is that I'm running Movabletype from my cgi-bin and I want to be sure it's as secure as possible and yet still usable.