Forum
Hiawatha cgi-wrapper: SUID PROBLEM
Marco
7 September 2009, 10:42
Hiawatha version: 6.14, 6.15, 6.17
Operating System: OpenBSD 4.5 GENERIC i386
I state that the exact same configuration work very fine into
Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.
$ /usr/local/sbin/wignam
Using /usr/local/etc/hiawatha
Reading httpd.conf
No non-fatal errors found in the Hiawatha configuration.
$ mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
/dev/wd0e on /usr type ffs (local, nodev)
/dev/wd0f on /var type ffs (local, nodev, nosuid)
mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)
$ ls -l /var/www
total 12
drwxr-xr-x 2 root wheel 512 Jun 10 20:17 hiawatha
drwxr-xr-x 6 myacc hsools 512 Jun 10 15:57 hsools
$ ls -l /var/www/hsools
total 16
drwxr-x--x 2 myacc hsools 512 Sep 5 13:22 log
drwxr-xr-x 2 myacc hsools 512 Jun 10 19:35 perl
$ ls -l /var/www/hsools/perl
total 12
-rwxr-xr-- 1 myacc hsools 1090 Jun 10 15:58 index.html
-rwxr-x--- 1 myacc hsools 829 Jun 10 19:35 login_admin.cgi
$ ls -l /usr/local/sbin
total 2552
-rwsr-xr-x 1 root wheel 57854 Sep 7 11:02 cgi-wrapper
-rwxr-xr-x 1 root wheel 707955 Sep 7 11:02 hiawatha
-rwxr-xr-x 1 root wheel 2488 Sep 7 11:02 newroot
-rwxr-xr-x 1 root wheel 68672 Sep 7 11:02 php-fcgi
-rwxr-xr-x 1 root wheel 72329 Sep 7 11:02 wigwam
$ cat /var/www/hsools/log/error.log
Mon 07 Sep 2009 10:34:17 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:42:35 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:52:10 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Why cgi-wrapper don't set correctly suid to 'hsools'?
Many Thanks
Operating System: OpenBSD 4.5 GENERIC i386
I state that the exact same configuration work very fine into
Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.
# Hiawatha main configuration file
#
# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
Interface = 127.0.0.1
TimeForRequest = 3,20
}
Binding {
Port = 80
Interface = 128.0.0.2
TimeForRequest = 3,20
}
#
CGIhandler = /usr/bin/perl:pl
CGIextension = cgi
CGIwrapper = /usr/local/sbin/cgi-wrapper
Hostname = 127.0.0.1
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#ErrorHandler = 404:/error.cgi
# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
VirtualHost {
Hostname = 128.0.0.2
WebsiteRoot = /var/www/hsools/perl
StartFile = index.html
AccessLogfile = /var/www/hsools/log/access.log
ErrorLogfile = /var/www/hsools/log/error.log
ExecuteCGI = yes
WrapCGI = hsools
TimeForCGI = 5
}
# CGI wrapper configuration
#
# Use the 'newroot' tool to copy applications to a chroot directory.
# CGIhandler = /path/to/cgi-handler
#
CGIhandler = /usr/bin/perl
# Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
#
Wrap = hsools ; /var/www/hsools ; 1005:1005
$ /usr/local/sbin/wignam
Using /usr/local/etc/hiawatha
Reading httpd.conf
No non-fatal errors found in the Hiawatha configuration.
$ mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
/dev/wd0e on /usr type ffs (local, nodev)
/dev/wd0f on /var type ffs (local, nodev, nosuid)
mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)
$ ls -l /var/www
total 12
drwxr-xr-x 2 root wheel 512 Jun 10 20:17 hiawatha
drwxr-xr-x 6 myacc hsools 512 Jun 10 15:57 hsools
$ ls -l /var/www/hsools
total 16
drwxr-x--x 2 myacc hsools 512 Sep 5 13:22 log
drwxr-xr-x 2 myacc hsools 512 Jun 10 19:35 perl
$ ls -l /var/www/hsools/perl
total 12
-rwxr-xr-- 1 myacc hsools 1090 Jun 10 15:58 index.html
-rwxr-x--- 1 myacc hsools 829 Jun 10 19:35 login_admin.cgi
$ ls -l /usr/local/sbin
total 2552
-rwsr-xr-x 1 root wheel 57854 Sep 7 11:02 cgi-wrapper
-rwxr-xr-x 1 root wheel 707955 Sep 7 11:02 hiawatha
-rwxr-xr-x 1 root wheel 2488 Sep 7 11:02 newroot
-rwxr-xr-x 1 root wheel 68672 Sep 7 11:02 php-fcgi
-rwxr-xr-x 1 root wheel 72329 Sep 7 11:02 wigwam
$ cat /var/www/hsools/log/error.log
Mon 07 Sep 2009 10:34:17 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:42:35 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:52:10 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Why cgi-wrapper don't set correctly suid to 'hsools'?
Many Thanks
Hugo Leisink
7 September 2009, 11:17
What user has id 1005? What happens if you change to user id 1005 (via sudo) and run the login_admin.cgi from the command line?
Can you please try again with
changed to
Btw, don't forget to update to 6.17.1. There is a stupid bug in 6.17.
Can you please try again with
Wrap = hsools ; /var/www/hsools ; 1005:1005
changed to
Wrap = hsools ; /var/www/hsools ; myacc
Btw, don't forget to update to 6.17.1. There is a stupid bug in 6.17.
Marco
7 September 2009, 17:08
Hi Hugo.
I have update to version 6.17.1 into ubuntu and cgi NOW don't work!
I have error log CGI-WRAPPER: no valid Wrap found. But I don't have changed any configuration!
Back to OpenBSD:
first: I have update to version 6.17.1
second: id 1005 is hsools
hsools:*:1005:1005::/nonexistent:/sbin/nologin
third: I have enabled a shell account hsools and and run cgi perl. It work fine!
At the and I have change 1005:1005 to myacc into cgi-wrapper and change
line into hiawatha.conf WrapCGI = hsools to WrapCGI = myacc.
Nothing To Do :-(
I have update to version 6.17.1 into ubuntu and cgi NOW don't work!
I have error log CGI-WRAPPER: no valid Wrap found. But I don't have changed any configuration!
Back to OpenBSD:
first: I have update to version 6.17.1
second: id 1005 is hsools
hsools:*:1005:1005::/nonexistent:/sbin/nologin
third: I have enabled a shell account hsools and and run cgi perl. It work fine!
At the and I have change 1005:1005 to myacc into cgi-wrapper and change
line into hiawatha.conf WrapCGI = hsools to WrapCGI = myacc.
Nothing To Do :-(
Hugo Leisink
7 September 2009, 18:09
It appears that a 6.17 has introduced a bug in the cgi-wrapper. This bug causes comments to form a problem. There are two solutions:
1) remove all comments from cgi-wrapper.conf
2) adjust cgi-wrapper.c. Add the following code after "rest = uncomment(line);" at line 103:
If id 1005 belongs to hsools, use this configuration line:
1) remove all comments from cgi-wrapper.conf
2) adjust cgi-wrapper.c. Add the following code after "rest = uncomment(line);" at line 103:
if (*rest == '\0') {
continue;
}
If id 1005 belongs to hsools, use this configuration line:
Wrap = hsools ; /var/www/hsools ; hsools
Marco
8 September 2009, 20:14
Hi Hugo.
as you can see I have tried to change mount tab to:
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
/dev/wd0e on /usr type ffs (local, nodev)
/dev/wd0f on /var type ffs (local, nodev)
mfs:18968 on /tmp type mfs (local, size=204800 512-blocks
I have remove all comments from cgi-wrapper.conf
CGIhandler = /usr/bin/perl
Wrap = hsools ; /var/www/hsools ; hsools
but it did not work.
I have changed source code as you have descripted:
while (fgets(line, 256, fp) != NULL) {
rest = uncomment(line);
if (*rest == '\0') {
continue;
}
(it is right please?)
but it still not working (log error: access denied via filesystem)
I have also send mail to ports@openbsd.org with topic:
Hiawatha cgi-wrapper: SUID PROBLEM
but at the moment I did not have a decisive response.
Unfortunately I could not try these amendments with linux kernel 2.6.30 on Ubuntu.
as you can see I have tried to change mount tab to:
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
/dev/wd0e on /usr type ffs (local, nodev)
/dev/wd0f on /var type ffs (local, nodev)
mfs:18968 on /tmp type mfs (local, size=204800 512-blocks
I have remove all comments from cgi-wrapper.conf
CGIhandler = /usr/bin/perl
Wrap = hsools ; /var/www/hsools ; hsools
but it did not work.
I have changed source code as you have descripted:
while (fgets(line, 256, fp) != NULL) {
rest = uncomment(line);
if (*rest == '\0') {
continue;
}
(it is right please?)
but it still not working (log error: access denied via filesystem)
I have also send mail to ports@openbsd.org with topic:
Hiawatha cgi-wrapper: SUID PROBLEM
but at the moment I did not have a decisive response.
Unfortunately I could not try these amendments with linux kernel 2.6.30 on Ubuntu.
Hugo Leisink
10 September 2009, 08:31
The cgi-wrapper works perfectly under Linux. It must be an Hiawata - OpenBSD issue. I will try it with OpenBSD myself. I'll get back to you a.s.a.p.
Marco
11 September 2009, 10:51
Thank Hugo, over Ubuntu work fine :-)
I wait for news about Hiawatha and OpenBSD..........
I wait for news about Hiawatha and OpenBSD..........
Hugo Leisink
13 September 2009, 12:33
I tried to run OpenBSD 4.5 a VMware environment, but all it does is crash or hang with 100% CPU usage. If OpenBSD is this unstable, it's not hard to guess why cgi-wrapper won't run....
Marco
14 September 2009, 16:23
Forgive Hugo, but I did not understand your statement....
In my computer OpenBSD 4.5 work discretely with 0.1% CPU usage....
In my computer OpenBSD 4.5 work discretely with 0.1% CPU usage....
Hugo Leisink
15 September 2009, 10:21
What I'm trying to say is that I can't get OpenBSD to run normally. The default installation crashes or hangs. I'll try it again soon.
Hugo Leisink
15 September 2009, 11:54
I tried OpenBSD in VirtualBox, but it also crashes. This time, it even crashed during installation! You can see a crash screenshot here.
Until the OpenBSD team fixes its OS, I'm afraid I cannot test Hiawatha under OpenBSD for you.
I advice you to stick to Ubuntu. It might not be as secure as this wonderful OpenBSD, but at least it works.
Until the OpenBSD team fixes its OS, I'm afraid I cannot test Hiawatha under OpenBSD for you.
I advice you to stick to Ubuntu. It might not be as secure as this wonderful OpenBSD, but at least it works.
Marco
15 September 2009, 16:46
mmmhhh, it's very strange...
I have installed OpenBSD 4.5 into specific hardware with solid state
disk without any sort of problem.....
I can't see image of crash screnshot because my pc work without
X server and I am not expert of OpenBSD kernel, I use it since three
year ago :-(
Is your machine hardware compatible with OpenBSD?
Do you know who have tested hiawatha (with cgi-wrapper) on OpenBSD team?
Have you think to post problem to <ports@openbsd.org>?
Sin! our small ISP has designed this specific webserver around Hiawatha
and OpenBSD for security reasons..... :-(
Many thanks for your patience Hugo.
I have installed OpenBSD 4.5 into specific hardware with solid state
disk without any sort of problem.....
I can't see image of crash screnshot because my pc work without
X server and I am not expert of OpenBSD kernel, I use it since three
year ago :-(
Is your machine hardware compatible with OpenBSD?
Do you know who have tested hiawatha (with cgi-wrapper) on OpenBSD team?
Have you think to post problem to <ports@openbsd.org>?
Sin! our small ISP has designed this specific webserver around Hiawatha
and OpenBSD for security reasons..... :-(
Many thanks for your patience Hugo.
Samiux
15 September 2009, 18:30
Hugo Leisink,
Perl works under cgi-wrapper mode but not the PHP5 in Ubuntu 9.04. It gives me "500 Internal Server Error" message.
Samiux
Perl works under cgi-wrapper mode but not the PHP5 in Ubuntu 9.04. It gives me "500 Internal Server Error" message.
Samiux
Hugo Leisink
16 September 2009, 23:52
What is in the error logfile? Can you post your configuration?
Samiux
17 September 2009, 02:10
Hiawatha version : 6.17.1
Operating system : Ubuntu 9.04 Server
Hugo Leisink,
The error.log :
The hiawatha.conf :
The php-fcgi.conf :
The cgi-wrapper.conf :
All the files and directories under /var/www/blog (including blog directory) are in the ownership of www-data:www-data.
Any idea?
Samiux
Operating system : Ubuntu 9.04 Server
Hugo Leisink,
The error.log :
Thu 17 Sep 2009 07:55:51 +0800|192.168.100.1|/var/www/blog/index.php|execute CGI: Permission denied
Thu 17 Sep 2009 07:55:51 +0800|192.168.100.1|/var/www/blog/index.php|no output
The hiawatha.conf :
# Hiawatha main configuration file
#
# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
LogFormat = extended
#ServerRoot = /var/www
CGIwrapper = /usr/sbin/cgi-wrapper
ServerString = none
# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
# Interface = 127.0.0.1
MaxKeepAlive = 30
TimeForRequest = 3,20
}
#
#Binding {
# Port = 443
# Interface = ::1
# MaxKeepAlive = 30
# TimeForRequest = 3,20
# SSLcertFile = hiawatha.pem
#}
# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
#BanOnCMDi = 0
BanlistMask = allow 192.168.100.0/24
# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications. Use the 'php-fcgi'
# tool to start PHP as a FastCGI daemon.
#
#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
#
FastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php
SessionTimeout = 30
}
# URL TOOLKIT
# These URL toolkit rules are made for the Banshee PHP framework,
# which can be downloaded from: http://banshee.leisink.org/
#
UrlToolkit {
ToolkitID = banshee
RequestURI isfile Return
Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
ErrorHandler = 404:/error.cgi
# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
VirtualHost {
Hostname = www.samiux.com
WebsiteRoot = /var/www/blog
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
TimeForCGI = 5
# UseFastCGI = PHP5
# UseToolkit = banshee
ExecuteCGI = yes
# DenyBot = msnbot:/files
# PreventCMDi = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
WrapCGI = jail
}
# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
#Directory {
# Path = /home/baduser
# ExecuteCGI = no
# UploadSpeed = 10,2
#}
The php-fcgi.conf :
# PHP FastCGI configuration
# Path to PID-file.
# PidFile = <filename>
#
PidFile = /var/run/php-fcgi.pid
# Number of forks per server.
# Forks = <number>
#
Forks = 3
# Number of maximum requests per fork before respawning.
# MaxRequests = <number>
#
MaxRequests = 100
# Set environment variables for the FastCGI processes.
# Setenv <key> = <value>
#
# PHP FastCGI servers to start.
# Server = <php-cgi executable>;<binding>;<UID>[:<GIDs>][;<PHP configuration file>]
#
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data
#Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; 1000:100,101
#Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini
#Server = /usr/chroot|usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data
The cgi-wrapper.conf :
# CGI wrapper configuration
#
# Use the 'newroot' tool to copy applications to a chroot directory.
# CGIhandler = /path/to/cgi-handler
#
#CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi
# Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
#
#Wrap = nobody ; /var/www|nobody ; 65534:65534
#Wrap = somebody ; /var/www/site ; 1001:33,200,201
#Wrap = hugo ; ~hugo ; hugo
Wrap = jail ; /var/www/blog ; www-data
All the files and directories under /var/www/blog (including blog directory) are in the ownership of www-data:www-data.
Any idea?
Samiux
Marco
17 September 2009, 11:38
I'm sorry Samiux, but you have busy my post..... ;-)
I search a workaround for problem whit cgi-wrapper and OpenBSD 4.5...
I will try to start hiawatha with two different configuration file for two different users.....
and I remove suid permission from cgi-wrapper.
Please Samiux, now you can continue your post :-)
I search a workaround for problem whit cgi-wrapper and OpenBSD 4.5...
I will try to start hiawatha with two different configuration file for two different users.....
and I remove suid permission from cgi-wrapper.
Please Samiux, now you can continue your post :-)
ajacoutot
20 September 2009, 12:19
I will look into this when I have time on my OpenBSD machine.
For the record, OpenBSD runs fine on all PC hardware, if it crashes on vmware and virtualbox, then these people should fix their software to emulate real PC hardware and not the opposite.
For the record, OpenBSD runs fine on all PC hardware, if it crashes on vmware and virtualbox, then these people should fix their software to emulate real PC hardware and not the opposite.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
