DSM-G600, DNS-3xx and NSA-220 Hack Forum

alpha · 2009-02-11 22:03:22

madpenguin wrote:
Excuse me for saying so, but it seems your trying to run a marathon without even training for it. I smoke a pack a day and would never dream of trying such a thing without quitting and taking up running first.

That's ok... I understand how it looks to you. Believe me or not, but I'm a programmer (not linux of course) and I'm so busy that sometimas want to shoot myself. So that's why questions are sooooo stupid. Sorry

madpenguin wrote:
Read the sticky link at the top of the forum. "Getting started with linux" or whatever it says. binaries and libraries are 2 different things. $PATH points to your installed binaries and $LD_LIBRARY_PATH points to your libraries.

You DON"T want to change your global $PATH. You'll break things severely. Go back and read those google links about chrooting lighttpd.

Ok, I'll check the links and promise no more stupid questions before gooleing

Regards,
alpha

alpha · 2009-02-15 19:44:26

Hello,

I've googled and googled then tired to jail php, but .... no success. Ok it is what I've done:

1. Using madpenguin's script I find out what libraries use "php-cgi", "php" and "lighttpd" and copied tese to /wwwroot/lib
2. Copied /ffp/bin/php-cgi, /ffp/bin/php, /ffp/sbin/lighttpd to /wwwroot/bin
3. Copied /ffp/etc/lighttpd.conf and /ffp/etc/php.ini to /wwwroot/etc
4. Changed lighttpd.conf to use php, put www into jail
5. Started lighttpd and got error:

Code:

2009-02-15 17:12:54: (log.c.97) server started 
2009-02-15 17:12:54: (mod_fastcgi.c.924) bind failed for: unix:/mnt/HD_a2/www/tmp/php-cgi.socket-0 No such file or directory 
2009-02-15 17:12:54: (mod_fastcgi.c.1365) [ERROR]: spawning fcgi failed. 
2009-02-15 17:12:54: (server.c.897) Configuration of plugins failed. Going down.

6. Tried to change lighttpd.conf to not use php and started - success
7. Tried to run lighttpd with not chrooted php - success

Ok, I don't ask to tell me what to do, tell at least some directions on what can I do next ? I'm totaly confused here.

Regards,
alpha

RunaR · 2009-02-15 20:45:03

Looks like the /mnt/HD_a2/www/tmp/ directory is not accessible when lighttpd is chrooted. Better change the php path to tmp/ (The original php-path minus the chrooted path)

alpha · 2009-02-15 21:09:14

Hi,

Thanks for fast reply. I set php socked dir to /mnt/HD_a2/tmp, but I got the same error. I even set chmod 777, but error is still the same. Maybe some other ideas ?

Regards,
alpha

alpha · 2009-02-15 22:15:51

Now I've tried to set socket directory as in original lighttpd.conf file. I set it to /tmp and got this error:

Code:

2009-02-15 20:10:41: (log.c.97) server started 
2009-02-15 20:10:41: (mod_fastcgi.c.1051) the fastcgi-backend /mnt/HD_a2/www/bin/php-cgi failed to start: 
2009-02-15 20:10:41: (mod_fastcgi.c.1055) child exited with status 2 /mnt/HD_a2/www/bin/php-cgi 
2009-02-15 20:10:41: (mod_fastcgi.c.1058) If you're trying to run PHP as a FastCGI backend, make sure you're using the FastCGI-enabled version.
You can find out if it is the right one by executing 'php -v' and it should display '(cgi-fcgi)' in the output, NOT '(cgi)' NOR '(cli)'.
For more information, check http://trac.lighttpd.net/trac/wiki/Docs%3AModFastCGI#preparing-php-as-a-fastcgi-programIf this is PHP on Gentoo, add 'fastcgi' to the USE flags. 
2009-02-15 20:10:41: (mod_fastcgi.c.1365) [ERROR]: spawning fcgi failed. 
2009-02-15 20:10:41: (server.c.897) Configuration of plugins failed. Going down.

Now I'm confused like never before in my life. Please give me some suggestions.

Regards,
alpha

alpha · 2009-02-16 19:39:00

Hi,

Ok, I see no one wants to help (just kidding). I found "/ffp/bin/php-config". Please tell me why this file is used for ? I saw lots of paths inside this file and every path was pointing to /ffp. I tried to change it, but no success. Please, someone....

Regards,
alpha

alpha · 2009-02-17 21:58:16

Hello,

Ok, I have used strace on /wwwroot/bin/php-cgi and found that php-cgi tries to load libraries from /ffp/lib, not from /wwwroot/lib. Please guys, I'm really stuck now. Help !

Regards,
alpha

alpha · 2009-02-19 18:27:27

Hello,

Silence in this thread is killing me. I think there must be only two posibilities for that:
1. Everyone has set up chrooted lighttpd+php and no one can understand why I ask so stupid questions.
2. No one know how to setup chrooted lighttpd+php and sits silent (I don't believe)

So please write here something. At least "I can't configure chrooted lighttpd+php and has issues like you"
or "I have configured lighttpd+php successfuly and don't want to help you". Now I have no idea how many people
has the same issues and how they deal with it.
Ok, I've read lots of links and how to's, but can find the answer. So.... I'll wait for any answer here.

Regards,
alpha

madpenguin · 2009-02-21 05:18:28

As to your first issue with the tmp directory, why not change your lighttpd.conf to say:

Code:

fastcgi.server = ( ".php" => ((
    "bin-path"  => "/wwwroot/bin/php-cgi",
    "socket"    => "/wwwroot/tmp/php-cgi.socket",
    "max-procs" => 1,
    "idle-timeout" => 10
)))

Then:
mkdir /wwwroot/tmp
chmod 777 /wwwroot/tmp

You've got to change all that stuff. Server logs and everything. Or crap.... Maybe if you put the above, it's actually going to be looking for /wwwroot/wwwroot/tmp.... You are trying to chroot after all. Maybe if you just put "/tmp" in there, it'll actually be looking at /wwwroot/tmp.... Don't know. Never messed with it.

Try to work around the ffp/lib issue by doing something like this:

mkdir /wwwroot/ffp
cd /wwwroot/ffp
ln -sf ../lib .

Use your imagination. Make it work!!!

I'm assuming you have chrooted lighttpd and when it says it can't find /ffp/lib, it actually can't find /wwwroot/ffp/lib

I've never done this stuff and I'm sure most people here haven't either. That's why your not getting any responses. That and the people willing to toss you suggestions (like myself) don't visit here but once a week or so....

Keep at it. You'll get it. Then you can post back and tell us what you did.

Last edited by madpenguin (2009-02-21 05:24:11)

alpha · 2009-02-21 08:47:36

Hello,

First of all thank you very much for helping and answering. I'm really happy because I want to do chroot very very much

madpenguin wrote:
As to your first issue with the tmp directory, why not change your lighttpd.conf to say:
Code:
fastcgi.server = ( ".php" => ((
    "bin-path"  => "/wwwroot/bin/php-cgi",
    "socket"    => "/wwwroot/tmp/php-cgi.socket",
    "max-procs" => 1,
    "idle-timeout" => 10
)))
Then:
mkdir /wwwroot/tmp
chmod 777 /wwwroot/tmp

You've got to change all that stuff. Server logs and everything. Or crap.... Maybe if you put the above, it's actually going to be looking for /wwwroot/wwwroot/tmp.... You are trying to chroot after all. Maybe if you just put "/tmp" in there, it'll actually be looking at /wwwroot/tmp.... Don't know. Never messed with it.

I have done like this and did some tests. Nothing helped, but I have got some knowledge. If you write for tmp '/wwwroot/tmp/php-cgi.socket' then you get error.log that lighttpd searches for '/wwwroot/tmp/php-cgi.socket' and if I write to lighttpd.conf for tmp '/tmp/php-cgi.socket' and I can see that lighttpd searches for '/tmp/php-cgi.socket'. So you have settings for fastcgi.server in lighttpd.conf and system do not add chroot prefix to it.

madpenguin wrote:
Try to work around the ffp/lib issue by doing something like this:

mkdir /wwwroot/ffp
cd /wwwroot/ffp
ln -sf ../lib .

Use your imagination. Make it work!!!

This is the case I think !!!!!!! You the man !!! I try this today. Somehow I think it will work. I try and write here.

One more think that I did not like. I did this:

Code:

chroot /mnt/HD_a2/www /bin/php-cgi

.. and got error "chroot: cannot execute /bin/php-cgi: No such file or directory"
/mnt/HD_a2/www is my /wwwroot
So I do not understand why this problem I have.

Regards,
alpha

alpha · 2009-02-21 20:00:22

Hello all,

Thats it ! Everythings works ! Thank you very much madpenguin for help. I could not do it without your help. And here is what I did:
I did not use any symbolic links and I just created /wwwroot/ffp folder and copied here folders from /wwwroot/bin and /wwwroot/etc and /wwwroot/lib. So I got folders /wwwroot/ffp/bin, /wwwroot/ffp/etc and /wwwroot/ffp/lib. As I mentioned I didn't use symlinks, but just copy all needed libraries for 'php' and 'php-cgi'. I needed these libraries:

Code:

-rwxr-xr-x    1 lighttpd webusers    20.7k Feb 15 18:54 ld-uClibc.so.0
-rw-r--r--    1 lighttpd webusers      255 Feb 15 18:54 libc.so
-rw-r--r--    1 lighttpd webusers   315.1k Feb 15 18:54 libc.so.0
-rw-r--r--    1 lighttpd webusers    12.7k Feb 15 18:51 libcrypt.so
-rw-r--r--    1 lighttpd webusers    12.7k Feb 15 18:51 libcrypt.so.0
-r-xr-xr-x    1 lighttpd webusers     1.2M Feb 15 18:51 libcrypto.so
-r-xr-xr-x    1 lighttpd webusers     1.2M Feb 15 18:52 libcrypto.so.0.9.8
-rw-r--r--    1 lighttpd webusers     8.9k Feb 15 18:53 libdl.so
-rw-r--r--    1 lighttpd webusers     8.9k Feb 15 18:53 libdl.so.0
-rw-r--r--    1 lighttpd webusers   891.9k Feb 15 18:53 libiconv.so
-rw-r--r--    1 lighttpd webusers   891.9k Feb 15 18:53 libiconv.so.2
-rw-r--r--    1 lighttpd webusers   891.9k Feb 15 18:54 libiconv.so.2.4.0
-rw-r--r--    1 lighttpd webusers    73.0k Feb 15 18:52 libm.so
-rw-r--r--    1 lighttpd webusers    73.0k Feb 15 18:52 libm.so.0
-rwxr-xr-x    1 lighttpd webusers   132.8k Feb 15 18:57 libpcre.so
-rwxr-xr-x    1 lighttpd webusers   132.8k Feb 15 18:58 libpcre.so.0
-rwxr-xr-x    1 lighttpd webusers   132.8k Feb 15 18:58 libpcre.so.0.0.1
-r-xr-xr-x    1 lighttpd webusers   233.3k Feb 15 18:51 libssl.so
-r-xr-xr-x    1 lighttpd webusers   233.3k Feb 15 18:51 libssl.so.0.9.8
-rwxr-xr-x    1 lighttpd webusers     1.1M Feb 15 18:53 libxml2.so
-rwxr-xr-x    1 lighttpd webusers     1.1M Feb 15 18:53 libxml2.so.2
-rwxr-xr-x    1 lighttpd webusers     1.1M Feb 15 18:53 libxml2.so.2.6.31
-rwxr-xr-x    1 lighttpd webusers    83.8k Feb 15 18:52 libz.so
-rwxr-xr-x    1 lighttpd webusers    83.8k Feb 15 18:52 libz.so.1
-rwxr-xr-x    1 lighttpd webusers    83.8k Feb 15 18:52 libz.so.1.2.3

I did not change any permissions for copied files from /ffp, but I changed ownership to lighttpd. Then I've configured lighttpd.conf file according to new path and finish. Everything is working !!!
I used 'ps' command to see running processes and saw, that php-cgi runs from /ffp/bin. So I thought maybe somehow it run from no chroot and did little test. I sed permissions 444 on /wwwroot/ffp/bin/php-cgi and started lighttpd and got an error the same like every time. So now I'm sure that php-cgi runs from chroot. So the work is done, case is closed and thank you madpenguin !

Regards,
alpha

madpenguin · 2009-02-22 18:26:13

Good job!

I almost think it would be better if one were to just recompile the programs needed to have a --prefix=/wwwroot.....

I think this whole exercise borders on the paranoid side, so.... That being the case, you might not want an ffp directory inside your chroot. If anyone ever did gain access thru lighttpd (probably extremely unlikely), it would show that your running on a Dlink NAS.... Best to keep the server platform anonymous but whatever...

For that matter, it's also a good idea not to broadcast your server string in the footer of a directory listing. You can set your "server.tag" to be blank or mimic an apache string.

Hiding README.txt files in a directory listing (dir-listing.exclude) might also prevent someone from saying "ah.... lighttpd".... Adding icons with "dir-listing.external-css" also helps to mask the default look of lighttpd as well as sprucing things up a bit...

If your going to be paranoid, you might as well be paranoid...

alpha · 2009-02-22 18:49:28

Hi,

Maybe it is a little bit paranoid, but your newly suggested security is just super. Its very good idea to hide your web server and platform it is runing on. I'll try to add these security tips in reality. Maybe I'm too much paranoid (keeping in mind that I'm runing behind DD-WRT enabled router), but I like it
Thanks for tips !

Regards,
alpha

philpontif · 2010-03-09 23:22:49

Have attempted to setup things up as documented here - just doing the simple web server at this time. Got it to work and then tried to implement the security setup per the above string. My problem is when I reboot the DNS-323 the userid and group that I created (lighttpd) have been removed from the passwd and group files in /etc. I checked before rebooting and they were there. Even tried recreating them but again after rebooting, they were no longer there. I'm running firmware 1.08 so not sure if this might be a feature or not. Any ideas?

leech1980 · 2010-03-10 04:56:18

philpontif wrote:
Have attempted to setup things up as documented here - just doing the simple web server at this time. Got it to work and then tried to implement the security setup per the above string. My problem is when I reboot the DNS-323 the userid and group that I created (lighttpd) have been removed from the passwd and group files in /etc. I checked before rebooting and they were there. Even tried recreating them but again after rebooting, they were no longer there. I'm running firmware 1.08 so not sure if this might be a feature or not. Any ideas?

If you added the user lighttpd via command line (versus the web gui), did you store the user/password via the command

Code:

store-passwd.sh

?

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#26 2009-02-11 22:03:22

Re: Request for secure setup info for lighttpd

madpenguin wrote:

madpenguin wrote:

#27 2009-02-15 19:44:26

Re: Request for secure setup info for lighttpd

Code:

#28 2009-02-15 20:45:03

Re: Request for secure setup info for lighttpd

#29 2009-02-15 21:09:14

Re: Request for secure setup info for lighttpd

#30 2009-02-15 22:15:51

Re: Request for secure setup info for lighttpd

Code:

#31 2009-02-16 19:39:00

Re: Request for secure setup info for lighttpd

#32 2009-02-17 21:58:16

Re: Request for secure setup info for lighttpd

#33 2009-02-19 18:27:27

Re: Request for secure setup info for lighttpd

#34 2009-02-21 05:18:28

Re: Request for secure setup info for lighttpd

Code:

#35 2009-02-21 08:47:36

Re: Request for secure setup info for lighttpd

madpenguin wrote:

Code:

madpenguin wrote:

Code:

#36 2009-02-21 20:00:22

Re: Request for secure setup info for lighttpd

Code:

#37 2009-02-22 18:26:13

Re: Request for secure setup info for lighttpd

#38 2009-02-22 18:49:28

Re: Request for secure setup info for lighttpd

#39 2010-03-09 23:22:49

Re: Request for secure setup info for lighttpd

#40 2010-03-10 04:56:18

Re: Request for secure setup info for lighttpd

philpontif wrote:

Code:

Board footer