« Adding a Sidebar - MT3.1 and Earlier | Main | Attacked! »

CGIWrap and suEXEC

Co-authored by Elise Bauer and Arvind Satyanarayan.
Tutorial cross posted on Movalog and Learning Movable Type

The installation instructions in the Movable Type Install Guide contain a section in the Configuration area called Enable Security Features. These instructions tell you to uncomment the Umask lines in your mt.cfg if your server is running cgiwrap or suexec. If you don't know what CGIwrap or suEXEC are, you may be tempted to skip this step. Don't. This step gives your MT installation extra security, which we will explain. (Note that this tutorial is only appropriate for MT installations on Linux/Apache web servers.)

What is CGIWrap or suEXEC?

CGIWrap and suEXEC are features installed by your web host that give extra security to your files in a shared server, or "virtual host", environment. Most Movable Type weblogs are hosted at commercial web hosts who are able to give their customers affordable server space by hosting the files of several customers on a shared server. In a shared server environment, CGIWrap and suEXEC allow your cgi files to be executed with you as the account "owner". The cgi scripts can then create files with more restrictive permissions (644) that keep others from editing your files, yet still allow you to edit them. Without CGIWrap or suEXEC, cgi scripts create html files that need to have more relaxed permissions (666) so that the account owner can manage those files.

Movable Type and CGIWrap/suEXEC

By default, the Movable Type cgi scripts generate files with permissions of 666 - read and write permissions for Owner, Group, World. (See FTP, File Formats, and Permissions.) In other words, everyone on a shared server can see and edit the files. This is the default because it allows for support for a wide range of server environments. For example, if you had your own dedicated server, it wouldn't necessarily matter that the permissions were set so broadly as you would be the only one accessing them. Another example is that some servers that use PHP require that PHP script permissions be set to 777.

Movable Type uses Umask settings to control the default permissions set on the files and directories it generates. "Umask" is another way of saying "File Mode Creation Mask". The default Umask settings are 0111, which set the default permissions of the MT generated pages to 666 and the MT generated directories to 777.

If you are running CGIWrap or suEXEC on your server, you can set the Umask settings so that only you, the owner of the MT generated files, have the permission BY DEFAULT to edit and change your MT generated files. This is why CGIWrap and suEXEC are so important. If you are on a shared server, anyone else with account privileges on the same server can edit your files with 666 permissions. Because CGIwrap and suEXEC allow your cgi files to be executed with you as the account "owner", you can now set permissions on your files to be a more restrictive 644 or 755 and you will be able to edit them because you are recognized as their owner.

Uncommenting the Umask Settings

If you uncomment (remove the #) the Umask settings in your mt.cfg file, the new settings will override the defaults and the new default permissions will be 644 and 755 for the files and directories. You should ONLY do this if you have CGIWrap or suEXEC on your server! If you do not have CGIWrap or suEXEC running on your server, and you are in a shared server environment, uncommenting these lines may prevent you from being able to edit any of your MT files.

Before uncommenting the Umask settings, make sure that your web host is running CGIWrap or suEXEC. You can run mt-check.cgi to find out. Just type the URL of your MT installation followed by mt-check.cgi, for example http://www.yourwebsite.com/path/to/mt/mt-check.cgi. If you are running CGIWrap or suEXEC, you will see the following line in your System Information:

(Probably) Running under cgiwrap or suexec

If mt-check.cgi reports that CGIWrap/suEXEC has been installed, then uncomment the following lines in mt.cfg:


DBUmask 0022
HTMLUmask 0022
UploadUmask 0022
DirUmask 0022

Additional Steps

If your MT install (the program files, not the weblog files) isn't in a cgi-bin folder but your host provides one you might consider moving your MT install into it; this will add extra security by preventing people viewing your mt.cfg from a web browser.

Another way to protect against web-based access to your mt.cfg file is to add a .htaccess file (see What is .htaccess?) in the same directory that holds your mt.cfg with the following lines:


<Files mt.cfg>
<Limit GET>
deny from all
</Limit>
</Files>

If you are not using dynamic publishing, it is highly recommended that you set the permissions of your mt.cfg and mt-db-pass.cgi (for MySQL or other SQL database) to 600 for added security. Do not take this step if you use dynamic publishing.

Links:

Apache suEXEC Support - notes on suEXEC from Apache.org


Special thanks to Brad Choate for his help with understanding CGIWrap, suEXEC and Umask and their impact on security.

Comments (3)

Do these instructions--especially uncommenting lines--apply equally to version 2.6?

Hi Kathy - these instructions apply to both MT3 and MT2.X.

Thanks for this lifesaver, Elise. Just as a note, that message (probably running under cgiwrap or suexec) does NOT appear in 3.2's mt-check screen.

Post a comment

(If you haven't left a comment here before, your comment may need to be approved before will appear on the entry. Thanks for waiting.)