Hi Don,
You asked about the security of owfs - specifically placing the 1-wire
directory in the server tree. I suspect you are relatively safe, but lets
analyze the possible risks:
1. Files
The files created by owfs are not real files -- they don't write to your
hard disk and disappear when owfs stops running. It's also not possible to
navigate outside the 1-wire directory, at least within owfs. Even if the
directory is in the document section and directly readable with the web
browser, the worst that could happen is direct access to the 1-wire devices.
2. Memory consumption
owfs uses a (relatively) small amount of memory for each physical 1-wire
device. (<20K) and you have control of the physical 1-wire bus. As far as I
can tell, there are no memory leaks in the current version, and we do test.
3. CPU usage
The 1-wire bus is relatively slow and very little computation is needed in
any access. Some of the hardware requires polling at a low level (i2c) and
very heavy usage might show a noticeable effect on a slow machine. The
effect is bounded. You can test by running a tight loop from the command
line (`while : ; do cat 1wire\10.123123123\temphigh ; done") and see if the
machine becomes sluggish. This would be a worst case test since any
overhead in your server code would protect the hardware.
4. Threads
owfs uses threads heavily. Besides some fixed number there would be 1 per
concurrent query per bus (at worst). This would not be much different than
your server's limitations (too many concurrent requests can put pressure on
server resources) and your server probably has protective limits that can
be set.
5. Direct hardware control.
Here is probably the biggest risk. owfs needs to talk to the bus masters,
which requires hardware access. This is set from the command line, so users
cannot change hardware access. There have been bugs in the linux server
implementation of the w1 driver in the past that could cause a kernel oops.
Apparently now fixed. USB, serial, network and i2c are all apparently safe.
6. 1-wire
Some 1-wire devices can control lights, switches, LCD screens, etc. Adding
"readonly": to the command line should prevent control, but I'd test. There
are also chips that have "write-one" memory that could be used up by users.
Some chips also have writable bits that lock the hardware. In general the
standard 1-wire devices used in home automation are pretty safe.
So I'd not worry too much about 1-wire security. The biggest threat is
probably the nuisance effect of too many read requests for a slow process
(like temperature) swamping the 1-wire bus and slowing the response time of
the 1-wire system.
Paul Alfille
On Mon, Apr 8, 2013 at 2:03 AM, Don Veino <[email protected]> wrote:
> I'm not a programmer but mess about to get things done. I was trying to
> set up a low usage php page to show some owfs data and was trying to suss
> out the OWNet php stuff. I believe I've come to realize that the Arch Linux
> ARM (ALARM) owfs package does not include OWNet php support, and I likely
> would need help to figure it out if it did. So I tried to simply display
> some file content from the owfs directory and ran into PHP not being able
> to read the files (presumably because they were outside the web root). I
> had a brainstorm as a result: instead of using /tmp/1wire as the owfs
> directory, why not create a directory within the web root, e.g.:
> /srv/http/1wire?
>
> So now I use an owfs invocation of:
> owfs -F -s 4304 --allow_other --readonly /srv/http/1wire
>
> And I have a php page which uses lines like:
> $hum = file_get_contents('./1wire/26.0CB401000000/humidity');
> echo "<p>Humidity: ", $hum, "%</p>";
>
> This is all being done on a dedicated ARM machine (Seagate DockStar) with
> no other critical or sensitive data on it. My router is set to port forward
> to this machine from obscure ports for ssh/22 (using key auth.), web
> server/80, and owhttp/3001 (--readonly).
>
> Am I opening myself for disaster having this owfs mount directory in the
> web root or should this be secure? I'd hate to be opening up my network to
> hacking.
>
> Thanks,
> Don
>
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Owfs-developers mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>
>
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Owfs-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/owfs-developers
