DSM-G600, DNS-3xx and NSA-220 Hack Forum

Thanks Fonz!

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

My goal in all of this was to make the server as secure as possible for a publicly accessible (via a NAT router) web site.

So now the server runs as a user without root privileges. The only other think I can think of doing is to run the server in a chroot jail. I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

Any other suggestions for hardening the server?

Many thanks!

srk wrote:

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

srk; Following your lead I've done the same except my user is set to access /mnt/USB/www.

Does anyone have any idea how the user ID (lighttpd) can be associated with more than one access point? I'm running lighttpd and ffp from a USB key. If ffp fails to load from the USB key then operation resorts back to the local disk. Given /mnt/USB/www will not be available there's a need to have the /mnt/HD_a2/www available.

srk wrote:

I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

I'm having the same problem. srk; Were you able to resolve this?


Oh, one more question! What command can be used to ID the groups and associated users?

Bob Blackwell
Pickering, ON

Last edited by rcblackwell (2008-09-14 02:51:32)

fonz wrote:

Code:

adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd

Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.

I used this command to create the user 'lighttpd'.  Added to group lighttpd.  I made the changes in lighttpd.conf (changed server.user, server.group, server.chroot), changed the group ownership of /mnt/HD_a2/www to lighttpd and changed the group permissions to rwx.  Did a store-passwd.sh, then reboot and lighttpd won't startup.  I can't get it running for any user other than root.  Any suggestions?

EDIT: checking the lighttpd error log I see

(mod_fastcgi.c.904) bind failed for: unix:/tmp/php-cgi.socket-0 Permission denied

EDIT2: changed the permissions on /tmp, all is well now

EDIT3:  so after I rebooted the permissions made to /tmp were reset.  i ended up making a directory under /mnt/HD_a2/tmp and pointed the line  "socket"    =>  for fastcgi in lighttpd.conf there.  Is this setup still secure?

Last edited by leech1980 (2008-09-14 09:01:11)

Greets all. Just a quick question...

How do you add a group? Sounds moronic, I know....

root@dlink-******:/mnt/HD_a2/www/pages# addgroup lighttpd     
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: addgroup [OPTIONS] <group_name>

root@dlink-******:/mnt/HD_a2/www/pages#

I have firmware 1.05, funplug 0.5, telnet disabled and ssh enabled.

Thanks for any and all help. No man pages, no info pages, no --help and google isn't yielding too much...

Last edited by madpenguin (2008-12-27 21:05:34)

Thanks fonz. Atleast you didn't say RTFM afterwards... ;-)

root@dlink-******:~# man groupadd
Formatting page, please wait...
root@dlink-******:~# which addgroup
/bin/addgroup
root@dlink-******:~# ls -la /bin/addgroup 
lrwxrwxrwx    1 root     root            9 Apr 21  2008 /bin/addgroup -> tinylogin
root@dlink-******:~# man tinylogin
No manual entry for tinylogin
root@dlink-******:~# tinylogin --help
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: tinylogin [function] [arguments]...
   or: [function] [arguments]...

        TinyLogin is a multi-call binary that combines several tiny Unix
        utilities for handling logins, user authentication, changing passwords,
        and otherwise maintaining users and groups on an embedded system.  Most
        people will create a link to TinyLogin for each function they wish to
        use, and TinyLogin will act like whatever it was invoked as.

Currently defined functions:
    addgroup, adduser, delgroup, deluser, getty, login, passwd, su,
    sulogin, tinylogin, vlock

That's a new one on me. Still would like to know the correct usage of "addgroup" tho and why it worked for the above posters..... Might as well use "useradd" while I'm at it.

Thanks for "tossing me a bone" at any rate. I'd also like to offer thanks for ffp. Makes the 323 all that much better. Much appreciated.

Last edited by madpenguin (2008-12-28 17:23:59)

alpha wrote:

Hi,

I think it will be problems to do a chroot jail, because you need PHP and it sits in /ffp/bin. I don't really know how to do this, but maybe someone of you knows ?

Maybe this page helps http://www.cyberciti.biz/tips/howto-set … -jail.html
I've not tried it and don't know if it will work on the nas.

Noone ? Please guys...

Hi,

"ldd" is a very nice tool and helpful in this situation, but I have one question. Ok, I know what shared libraries I need, but reference path is "/ffp/lib/...". How to change reference patch for example for "php" binary ?

Regards,
alpha

Hi,

Thanks for info. I found some very informative info using your link to google search. Will try to jail my lighttpd with php support. Thanks again.

Regards,
alpha

Hello,

Many thanks for the script. I'll try it today. It will be helpful.

Regards,
alpha

You need to hit the funplug site and install some packages. It's probably because of the crippled busybox binaries. Install bash, change the top line back and try again.

All that script does is give you the same ldd output only cleans it up some. Hardly worth the fuss but you should have bash installed anyway IMO...

Last edited by madpenguin (2009-02-11 02:45:44)

Excuse me for saying so, but it seems your trying to run a marathon without even training for it. I smoke a pack a day and would never dream of trying such a thing without quitting and taking up running first.

Read the sticky link at the top of the forum. "Getting started with linux" or whatever it says. binaries and libraries are 2 different things. $PATH points to your installed binaries and $LD_LIBRARY_PATH points to your libraries.

You DON"T want to change your global $PATH. You'll break things severely. Go back and read those google links about chrooting lighttpd.