How do I run CGI (Perl, PHP, etc) at SEAS?
Note: as of 2/14/10 all http traffic on fling.seas and alliance.seas is redirected to use https instead. A 301 redirect is used, so search rankings will not be impacted.
The Common Gateway Interface (CGI) is a protocol designed to pass information from the browser to the server, and back again. A CGI program runs on the server and generates dynamic HTML for the browser to display. CGI programs can be written in several different languages, the most common being Perl, Python and PHP. We run Perl 5, Python 2.7, and PHP 5.
- Registration is required to use CGI
- CGI on Fling.seas & Alliance.seas
- Security / Penetration Testing
- How to get your CGI script up and running
- Other Guidelines
- Code Review Service
- Troubleshooting CGI issues
Note: If you need CGI enabled for a class, please check with your TA. Usually we enable CGI on all student accounts in a class when we get a request from the TA or professor.
If you would like CGI enabled on your account, please visit the CGI Activation Request Form.
- Make sure you have a working webpage in your html directory.
- Check http://fling.seas.upenn.edu/~youraccount where youraccount is your account name.
- If you can view your index.html page, CGI is enabled on your account.
Fling.seas and Alliance.seas are the latest CGI web servers at SEAS. Scripts on Fling.seas and Alliance.seas are protected by the Apache suEXEC facility.
Local logins on Fling and Alliance have been disabled. You can create and/or modify your scripts by accessing your SEAS home directory on eniac.seas.upenn.edu via ssh or sftp.
Not all home directories will be available on Fling and Alliance. Only the home directories that have CGI enabled will be available (on the machine on which CGI is enabled).
Fling and Alliance are identical machines with the same configurations. Alliance.seas is for production sites and services run by faculty and staff. Everyone should use Fling.seas for experiments and development.
It is your reponsibility to keep any third party CGI applications you install up to date with the latest security patches. All SEAS sites using CGI will be periodically scanned for security vulnerabilities. If a vulnerability is discovered, you will be informed via email, and you will have at most two weeks to fix the problem. More urgent problems will need to be fixed more quickly. If necessary, we may disable CGI for your site until your fix the problem.
1. If you haven't done so, register your account for CGI.
2. Scripts need to be run in the correct directory. In order to make your CGI scripts accessible to the web server running on Fling.seas or Alliance.seas you must install them under one of the following directories:
Remember that, as for regular
web pages, your home directory,
html directory, and
any directories down the tree to your script (including your
cgi-bin directory) must all be world-executable in order to access the contents
via the web. Here is how to make a cgi-bin directory, starting from your home directory:
chmod a+x ~ ~/html ~/html/cgi-bin
3. Scripts need the proper file extension and shebang line (for Perl and Python). Perl
scripts have to have a
.pl file extension. Python scripts need a
.cgi extension. PHP scripts need to have a
.php file extension.
All Perl and Python scripts that are executed need to have the correct filename extension,
and the shebang line needs to be the first line of the script. PHP files need the correct extension but do not need a shebang line.
Perl / CGI scripts should start with the following shebang line:
Python scripts should start with the following shebang line:
PHP scripts do not need a shebang line.
Included files that are not directly executed do not need the shebang line and can use other extensions like
For PHP: Your PHP script executes as the owner of the file and only needs owner read permissions (400). It will not run if the file or directory it resides in are world writable.
For Perl/Python: The permissions on your Perl/Python script need to be owned and executable by the owner of the directory. Other group and world permissions will work, but in general it is safest to just use the minimum permissions unless you have specific reasons for doing otherwise. To do this, move to the directory where your script is stored and use the Unix chmod command:
chmod 700 scriptname
The script only needs to be readable and executable by the owner (chmod 500 or chmod o+rx) to run. You probably want to add write permission for yourself to make it easier to update the program (chmod 700 or chmod u+rwx). Only add additional permissions if you intend to share the file with other people who have SEAS accounts.
The script, the script directory, and the sub-directory in which the script directory is located must all have the same userid and groupid, and must not be world or group writable. If the error log is complaining about incomplete headers, check the group IDs.
5. Run dos2unix or mac2unix for files created in Windows or MacOS. If you create your file in Windows or Mac OS before uploading them, you may need to run dos2unix or mac2unix in a unix shell on a SEAS unix machine to convert the end of line characters. To do so, go to the directory that holds your script and run the following command.
For Windows files:
For Mac OS:
6. Test for syntax errors by running at the command line. By running your script at the command line, you will see the errors generated by Python, Perl, or PHP. To run your script at the command line, go to the directory that contains the script you want to run and type (replace "scriptname" with the name of your script).
For Perl and Python:
Fling.seaswhere username would be replaced by your SEAS username and scriptname would be replaced with the path of the script you wish to access.
1. You can't use symlinks to execute CGI scripts.
2. CGI write permissions. By default, Perl and Python scripts execute with the same privileges as the user account they are being run from. Therefore, CGI scripts can write to directories or files as long as the user account it's in has write permissions for the directory or file. PHP scripts execute as the user who owns the file.
If you have any questions about the security of your code, or would just like another pair of eyes looking for vulnerabilities, CETS offers a code review service. Please send us an email if you are interested.
Before the code review, please review the Fling/Alliance policy article.
- Login to the Configure your SEAS Account page.
- On the left navigation bar, click the "Manage Web Page" tool.
- On the next page, click the first bullet item entitled "Configure my SEAS account for web pages".
- Click the "Continue" button to start the check. It may take a few minutes for the script to run.
- The results page will tell you have any permission problems.
Problem: You don't have a cgi-bin directory.
Solution: Your cgi-bin (or wiki or dynamic) directories are not created automatically. See the explanation above for more information.
Problem: CGI is enabled on your account, but scripts aren't running correctly.
Solution: This could be caused by a number of different issues:
- Follow the directions above to check whether CGI is enabled for your account.
- Check the permissions on your directories are correct by using the Manage Web Page tool on your accounts page.
- Verify that your script has the correct permissions.
- Make sure you are running your script from from fling or alliance - more information.
- Verify you have the correct shebang line in your script.
- If your script was created in Windows or Mac OS, run dos2unix or mac2unix on the script.
Problem: All of the items listed above appear to be correct, but my script is still not working.
Solution: You may have a problem with your code, so we are going to check to make sure php is working correctly in your account. If you currently have a "index.php" script in your cgi-bin directory, please remove it or rename it. Run the Manage Web Page tool on your accounts page to create a test index.php file. Now run the file by visiting this URL in your favorite browser (if you are running CGI on Alliance, change "fling" to "alliance"):
If PHP is working correctly, you should see the text "Sample CGI PHP Script".
Problem: Your browser doesn't display error messages when you try to troubleshoot your script.
Solution: Try running the script at the command line to see the full output, including any errors.