How do I run CGI (Perl, PHP, etc) at SEAS?
The Common Gateway Interface (CGI) is a protocol designed to pass information from the browser to the server, and back again. A CGI program runs on the server and generates dynamic HTML for the browser to display. CGI programs can be written in several different languages, the most common being Perl, Python and PHP. We run Perl 5, Python 2.7, and PHP 5.
- Registration is required to use CGI
- CGI on fling & alliance
- Security / Penetration Testing
- How to get your CGI script up and running
- Other Guidelines
- Code Review Service
- Troubleshooting CGI issues
Note: If you are a student and need CGI enabled for a class, please check with your TA. Usually we enable CGI on all student accounts in a class when we get a request from the TA or professor.
If you would like CGI enabled on your account, please visit the CGI Activation Request Form.
The CGI web servers at seas are named fling.seas.upenn.edu and alliance.seas.upenn.edu. Scripts on fling and alliance are protected by the Apache suEXEC facility.
Local logins on these servers have been disabled. You can manage your scripts in your SEAS home directory on eniac.seas.upenn.edu using ssh or sftp.
Web pages will only be served from the html directory of an account's home directory on fling or alliance if CGI has been enabled for the account on the respective server.
fling and alliance are identical machines with the same configurations. alliance is for production sites and services run by faculty and staff. fling is for experiments and development.
Note: All http traffic on fling.seas.upenn.edu and alliance.seas.upenn.edu is redirected to use https instead.
- First, make sure you have a working webpage in your
- In a web browser, open https://fling.seas.upenn.edu/~username/ or https://alliance.seas.upenn.edu/~username/ where username is your account name.
- If you can view your index.html page, CGI is enabled on your account.
It is your reponsibility to keep any third party CGI applications you install up to date with the latest security patches. All SEAS sites using CGI will be periodically scanned for security vulnerabilities. If a vulnerability is discovered, you will be informed via email, and you will have at most two weeks to fix the problem. More urgent problems will need to be fixed more quickly. If necessary, we may disable CGI for your site until your fix the problem.
1. If you haven't done so, register your account for CGI.
2. Scripts need to be run in the correct directory. In order to make your CGI scripts accessible to the web server running on fling or alliance you must install them under one of the following directories:
Remember that, as for regular
web pages, your home directory,
html directory, and
any directories down the tree to your script (including your
cgi-bin directory) must all be world-executable in order to access the contents
via the web. Here is how to make a cgi-bin directory, starting from your home directory:
chmod a+x ~ ~/html ~/html/cgi-bin
3. Scripts need the proper file extension and shebang line (for Perl and Python). Perl
scripts have to have a
.pl file extension. Python scripts need a
.cgi extension. PHP scripts need to have a
.php file extension.
All Perl and Python scripts that are executed need to have the correct filename extension,
and the shebang line needs to be the first line of the script. PHP files need the correct extension but do not need a shebang line.
Perl / CGI scripts should start with the following shebang line:
Python scripts should start with the following shebang line:
PHP scripts do not need a shebang line.
Included files that are not directly executed do not need the shebang line and can use other extensions like
For PHP: Your PHP script executes as the owner of the file and only needs owner read permissions (400). It will not run if the file or directory it resides in are world writable.
For Perl/Python: The permissions on your Perl/Python script need to be owned and executable by the owner of the directory. Other group and world permissions will work, but in general it is safest to just use the minimum permissions unless you have specific reasons for doing otherwise. To do
this, move to the directory where your script is stored and use
chmod 700 scriptname
The script only needs to be readable and executable by the owner
chmod 500 or
chmod o+rx) to run. You probably want to add write
permission for yourself to make it easier to update the program (
chmod u+rwx). Only add additional permissions if you intend to
share the file with other people who have SEAS accounts.
The script, the script directory, and the subdirectory in which the script directory is located must all have the same userid and groupid, and must not be world or group writable. If the error log is complaining about incomplete headers, check the group IDs.
mac2unix for files created in Windows or MacOS. If you
create your file in Windows or Mac OS before uploading them, you may need to
mac2unix in a unix shell on a SEAS
unix machine to convert the end of line characters. To do so, go to the
directory that holds your script
and run the following command.
For Windows files:
For Mac OS:
6. Test for syntax errors by running at the command line. By running your script at the command line, you will see the errors generated by Python, Perl, or PHP. To run your script at the command line, go to the directory that contains the script you want to run and type (replace "scriptname" with the name of your script).
For Perl and Python:
where username would be replaced by your SEAS username and scriptname would be replaced with the path of the script you wish to access.
1. You can't use symlinks to execute CGI scripts.
2. CGI write permissions. By default, Perl and Python scripts execute with the same privileges as the user account they are being run from. Therefore, CGI scripts can write to directories or files as long as the user account it's in has write permissions for the directory or file. PHP scripts execute as the user who owns the file.
If you have any questions about the security of your code, or would just like another pair of eyes looking for vulnerabilities, CETS offers a code review service. Please send us an email if you are interested.
Before the code review, please review the Fling/Alliance policy article.
- Login to the Configure your SEAS Account page.
- On the left navigation bar, click the "Manage Web Page" tool.
- On the next page, click the first bullet item entitled "Configure my SEAS account for web pages".
- Click the "Continue" button to start the check. It may take a few minutes for the script to run.
- The results page will tell you have any permission problems.
Problem: You don't have a cgi-bin directory.
Solution: Your cgi-bin (or wiki or dynamic) directories are not created automatically. See the explanation above for more information.
Problem: CGI is enabled on your account, but scripts aren't running correctly.
Solution: This could be caused by a number of different issues:
- Follow the directions above to check whether CGI is enabled for your account.
- Check the permissions on your directories are correct by using the Manage Web Page tool on your accounts page.
- Verify that your script has the correct permissions.
- Make sure you are running your script from from fling or alliance - more information.
- Verify you have the correct shebang line in your script.
- If your script was created in Windows or Mac OS, run dos2unix or mac2unix on the script.
Problem: All of the items listed above appear to be correct, but my script is still not working.
Solution: There may be a problem with your code, so check to make sure php is working correctly in your account.
- If there
index.phpscript in your cgi-bin directory, rename it.
- Run the Manage Web Page
tool on your accounts page to create a test
https://alliance.seas.upenn.edu/~username/cgi-bin/index.phpin your web browser.
If PHP is working correctly, you should see the text "Sample CGI PHP Script".
Problem: Your browser doesn't display error messages when you try to troubleshoot your script.
Solution: Try running the script at the command line to see the full output, including any errors.