DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2007-07-25 15:11:12

srk
New member
Registered: 2007-05-13
Posts: 4

Request for secure setup info for lighttpd

Hello,

Currently running Fonz's excellent fun_plug v0.3.

lighttpd can be run be run both in a chroot jail and as a non-root user. Could someone supply me with a step-by-step procedure for, for example, setting lighttpd to run as a user 'lighttpd', chrooted to /mnt/HD_a2/www

Presumably this is not the most secure configuration if the lighttpd log files are going in /mnt/HD_a2/www/logs - can anyone suggest a viable alternative?

Assuming telnet access is available, the procedure should be something like:

1. Create 'lighttpd' group and user
2. Set chroot directory and server group and user in lighttpd.conf
3. Start (or restart) lighttpd server

I'm stuck on step 1. I have created the 'lighttpd' group using 'addgroup lighttpd', but am a little confused about how to create the 'lighttpd' user, specifically how to set the shell. According to other lighttpd tutorials I have read on the web, the shell should be /sbin/nologin (since the lighttpd user only exists to run the server and shouldn't have login privileges).

Can anyone give me an example of an 'adduser' command (or equivalent) to create a 'lighttpd' user with a secure configuration.

Perhaps this procedure could be added to the lighttpd info page on the www.dns323.info site?

Many thanks in advance!

Offline

 

#2 2007-07-25 15:25:47

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: Request for secure setup info for lighttpd

Code:

adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd

Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.

Offline

 

#3 2007-07-25 19:23:10

srk
New member
Registered: 2007-05-13
Posts: 4

Re: Request for secure setup info for lighttpd

Thanks Fonz!

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

My goal in all of this was to make the server as secure as possible for a publicly accessible (via a NAT router) web site.

So now the server runs as a user without root privileges. The only other think I can think of doing is to run the server in a chroot jail. I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

Any other suggestions for hardening the server?

Many thanks!

Offline

 

#4 2007-07-25 20:16:58

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: Request for secure setup info for lighttpd

srk wrote:

Any other suggestions for hardening the server?

Maybe an upgrade to 1.4.16 which came out yesterday and fixes a number of security issues.

Offline

 

#5 2008-06-30 23:38:55

rcblackwell
Member
From: Pickering, ON
Registered: 2008-05-19
Posts: 204
Website

Re: Request for secure setup info for lighttpd

srk wrote:

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

srk; Following your lead I've done the same except my user is set to access /mnt/USB/www.

Does anyone have any idea how the user ID (lighttpd) can be associated with more than one access point? I'm running lighttpd and ffp from a USB key. If ffp fails to load from the USB key then operation resorts back to the local disk. Given /mnt/USB/www will not be available there's a need to have the /mnt/HD_a2/www available.


srk wrote:

I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

I'm having the same problem. srk; Were you able to resolve this?


Oh, one more question! What command can be used to ID the groups and associated users?

Bob Blackwell
Pickering, ON

Last edited by rcblackwell (2008-09-14 02:51:32)


Bob Blackwell
Pickering, ON

Offline

 

#6 2008-07-01 19:27:19

kikkeraap
Member
Registered: 2008-03-19
Posts: 17

Re: Request for secure setup info for lighttpd

fonz wrote:

Code:

adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd

Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.

This did the trick, but now I'm facing problems with PHP, as it won't run

Offline

 

#7 2008-09-14 01:19:05

leech1980
Member
Registered: 2008-09-12
Posts: 29

Re: Request for secure setup info for lighttpd

fonz wrote:

Code:

adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd

Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.

I used this command to create the user 'lighttpd'.  Added to group lighttpd.  I made the changes in lighttpd.conf (changed server.user, server.group, server.chroot), changed the group ownership of /mnt/HD_a2/www to lighttpd and changed the group permissions to rwx.  Did a store-passwd.sh, then reboot and lighttpd won't startup.  I can't get it running for any user other than root.  Any suggestions?

EDIT: checking the lighttpd error log I see

(mod_fastcgi.c.904) bind failed for: unix:/tmp/php-cgi.socket-0 Permission denied

EDIT2: changed the permissions on /tmp, all is well now

EDIT3:  so after I rebooted the permissions made to /tmp were reset.  i ended up making a directory under /mnt/HD_a2/tmp and pointed the line  "socket"    =>  for fastcgi in lighttpd.conf there.  Is this setup still secure?

Last edited by leech1980 (2008-09-14 09:01:11)

Offline

 

#8 2008-11-30 22:29:58

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hi,

I think it will be problems to do a chroot jail, because you need PHP and it sits in /ffp/bin. I don't really know how to do this, but maybe someone of you knows ?

Offline

 

#9 2008-12-27 20:34:31

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

Greets all. Just a quick question...

How do you add a group? Sounds moronic, I know....

Code:

root@dlink-******:/mnt/HD_a2/www/pages# addgroup lighttpd     
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: addgroup [OPTIONS] <group_name>

root@dlink-******:/mnt/HD_a2/www/pages#

I have firmware 1.05, funplug 0.5, telnet disabled and ssh enabled.

Thanks for any and all help. No man pages, no info pages, no --help and google isn't yielding too much...

Last edited by madpenguin (2008-12-27 21:05:34)

Offline

 

#10 2008-12-28 12:52:48

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: Request for secure setup info for lighttpd

madpenguin wrote:

No man pages, no info pages, no --help and google isn't yielding too much...

man groupadd

Offline

 

#11 2008-12-28 17:16:58

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

Thanks fonz. Atleast you didn't say RTFM afterwards... ;-)

Code:

root@dlink-******:~# man groupadd
Formatting page, please wait...
root@dlink-******:~# which addgroup
/bin/addgroup
root@dlink-******:~# ls -la /bin/addgroup 
lrwxrwxrwx    1 root     root            9 Apr 21  2008 /bin/addgroup -> tinylogin
root@dlink-******:~# man tinylogin
No manual entry for tinylogin
root@dlink-******:~# tinylogin --help
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: tinylogin [function] [arguments]...
   or: [function] [arguments]...

        TinyLogin is a multi-call binary that combines several tiny Unix
        utilities for handling logins, user authentication, changing passwords,
        and otherwise maintaining users and groups on an embedded system.  Most
        people will create a link to TinyLogin for each function they wish to
        use, and TinyLogin will act like whatever it was invoked as.

Currently defined functions:
    addgroup, adduser, delgroup, deluser, getty, login, passwd, su,
    sulogin, tinylogin, vlock

That's a new one on me. Still would like to know the correct usage of "addgroup" tho and why it worked for the above posters..... Might as well use "useradd" while I'm at it.

Thanks for "tossing me a bone" at any rate. I'd also like to offer thanks for ffp. Makes the 323 all that much better. Much appreciated.

Last edited by madpenguin (2008-12-28 17:23:59)

Offline

 

#12 2008-12-28 18:14:22

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: Request for secure setup info for lighttpd

madpenguin wrote:

TStill would like to know the correct usage of "addgroup" tho and why it worked for the above posters..... Might as well use "useradd" while I'm at it.

Thanks for "tossing me a bone" at any rate. I'd also like to offer thanks for ffp. Makes the 323 all that much better. Much appreciated.

There was a ffp version of addgroup, but I've removed it in favor of the more standard groupadd (which is really simple to use, btw). Same for adduser. So maybe the others have used these ffp versions. I recommend you use groupadd and useradd instead.

Offline

 

#13 2008-12-29 14:52:53

RunaR
Member
Registered: 2008-08-14
Posts: 49

Re: Request for secure setup info for lighttpd

alpha wrote:

Hi,

I think it will be problems to do a chroot jail, because you need PHP and it sits in /ffp/bin. I don't really know how to do this, but maybe someone of you knows ?

Maybe this page helps http://www.cyberciti.biz/tips/howto-set … -jail.html
I've not tried it and don't know if it will work on the nas.

Offline

 

#14 2009-02-01 00:09:05

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hi,

RunaR wrote:

Maybe this page helps http://www.cyberciti.biz/tips/howto-set … -jail.html
I've not tried it and don't know if it will work on the nas.

There are too many differences with DNS 323 linux. I'm not a linux guru, so I think I can't do this. But I think this is possible. So if someone can jail lighttpd web server in chroot with linux use it would be nice to share your experience here.

Edit:
As long as php is not in one directory I have tried to copy main files to /www/bin and chroot, but lighttpd not start. I get message about php, but there is no info about what files php needs also to start. I have noticed file php-config in /ffp/bin which have some info on what php needs. So I need you guys to help me in this and set php in jail with lighttpd.

alpha

Last edited by alpha (2009-02-01 01:01:43)

Offline

 

#15 2009-02-06 16:23:21

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Noone ? Please guys...

Offline

 

#16 2009-02-07 04:51:49

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

Use ldd. It should tell you what php wants. There is also tons of stuff on google about this.

Offline

 

#17 2009-02-07 13:06:30

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hi,

"ldd" is a very nice tool and helpful in this situation, but I have one question. Ok, I know what shared libraries I need, but reference path is "/ffp/lib/...". How to change reference patch for example for "php" binary ?

Regards,
alpha

Offline

 

#18 2009-02-08 05:12:27

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

Your $PATH is an environment variable that will change when you chroot lighttpd. Doesn't matter that they are currently in /ffp. Once you chroot lighttpd into, say... /www, then you'll need a /www/bin, /www/lib and so on.

Again, google is your best friend here. What I found usually talks about using debian or something but it doesn't matter. Linux is linux.

http://www.google.com/search?hl=en& … =f&oq=

Last edited by madpenguin (2009-02-08 05:13:18)

Offline

 

#19 2009-02-08 12:01:39

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hi,

Thanks for info. I found some very informative info using your link to google search. Will try to jail my lighttpd with php support. Thanks again.

Regards,
alpha

Offline

 

#20 2009-02-09 18:57:05

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

I made a simple script for you that may help in determining which libs you need to put in your chroot directory. Name it whatever you want, do a "chmod 755 whatever.sh" and then call it solo to see the help option: example - "./whatever.sh"

Code:

#!/ffp/bin/bash

if [ "$1" = "" ]; then
   echo
   echo "$0 Usage:"
   echo "This script will determine support libs needed for the"
   echo "correct operation of any given binary. Example usage:"
   echo "$0 php-cgi"
   echo && exit 1
fi

if [ ! -f /ffp/etc/ld.so.cache ]; then
   ldconfig
fi
for file in $(ldd $(which $1) | grep -o "/ffp.*.so" | sed 's/.so/.so*/'); do
   ls $file
done

Last edited by madpenguin (2009-02-09 18:59:10)

Offline

 

#21 2009-02-10 08:05:20

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hello,

Many thanks for the script. I'll try it today. It will be helpful.

Regards,
alpha

Offline

 

#22 2009-02-10 19:13:16

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hi,

I get an error using script. Error says: "syntax error : word unexpected (expecting "do")". Ok I have no bash, but I changed line "#!/ffp/bin/bash" to "#!/ffp/bin/sh", but it not helps. I'm sorry, but I'm not very good at shell programming, so need your help.

Regards,
alpha

Offline

 

#23 2009-02-11 02:44:30

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

You need to hit the funplug site and install some packages. It's probably because of the crippled busybox binaries. Install bash, change the top line back and try again.

All that script does is give you the same ldd output only cleans it up some. Hardly worth the fuss but you should have bash installed anyway IMO... wink

Last edited by madpenguin (2009-02-11 02:45:44)

Offline

 

#24 2009-02-11 21:13:40

alpha
Member
From: Lithuania
Registered: 2008-10-06
Posts: 88

Re: Request for secure setup info for lighttpd

Hello,

I have nearly all info needed to chroot my php. Only one question. By the way... installing bash was helpful and your script works like a charm. Thanks !
So the question: you mentioned $PATH enviromental variable. Excuse me for stupid question, but where it is ? Ok I didn't googled about this and I'm a little bit shame about this. I just looked to lighttpd.conf file and there was php binary path, but it was /ffp/bin, not /ffp/lib. So I think this is the only problem solvim my shrooting of php.

Regards,
alpha

Offline

 

#25 2009-02-11 21:33:07

madpenguin
Member
Registered: 2008-12-25
Posts: 77

Re: Request for secure setup info for lighttpd

Excuse me for saying so, but it seems your trying to run a marathon without even training for it. I smoke a pack a day and would never dream of trying such a thing without quitting and taking up running first. wink

Read the sticky link at the top of the forum. "Getting started with linux" or whatever it says. binaries and libraries are 2 different things. $PATH points to your installed binaries and $LD_LIBRARY_PATH points to your libraries.

You DON"T want to change your global $PATH. You'll break things severely. Go back and read those google links about chrooting lighttpd.

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB