cgi-bin directory contents: What else can be stored there, apart from the CGI scripts/executables?

Question

What files should/should not be stored in the cgi-bin folder/directory on a web server?

Obviously, executable scripts/files that make up a web application, called from a web browser can be stored there.

But is there a common industry opinion about what else can be stored there?

Is there a very strong reason why nothing else apart than the scripts/executables is allowed there?

My preference is to store all files belonging to an application in the cgi-bin directory/folder, as a subfolder off it - for each application.

For example directory cgi-bin/myapplication would contain:

• the cgi scripts/executables
• datafiles
• configuration files

This simplifies installation and also simplifies the steps to run different versions of a application in parallel, e.g. for trialling a new version.

Concerns about security access to non-script files can be addressed by using the correct user permissions and also Apache .htaccess to control access to the directory and files.

It would seem that popular free applications are in favour of this everything-under-one-directory approach: The versions of bugzilla, the free defect and feature tracking tool, e.g. 3.4.4 are offered in this structure, while earlier versions, e.g. 2.x installed bugzilla components to at least three folders.

Drupal, the powerful and popular free content management system also takes this approach of everything-under-one-directory, albeit doesn't use the cgi-bin folder but the approach is the same.

What are your thoughts?

Answer 1

There is nothing special about the cgi-bin folder. It is like any publicly-accessible web folder that has the "allow-script" flag set (or the equivalent for your web server) - something that has become almost meaningless in the world of PHP/JSP and the likes.

You should only store files that you wish to be public in any folder under your webroot. You probably don't want your data and configuration to be downloadable by any user on the internet, so don't keep them in /cgi-bin

Certain servers may try and execute any file in /cgi-bin if requested. This could cause problems, especially if text or data files are executed as shell script.

Applications like Drupal are intended to be easy for anyone to install, regardless of what permissions they may have on their web-host. This is the main reason it keeps everything together. If you have the ability to put files where you want, it is always a good practise to keep non-public files outside of the webroot. If you must keep them under the webroot, then ensure that you use your server's configuration to deny public access to the non-public files.