httpd slowcgi permission advice

Byron Klippert Fri, 25 Mar 2016 10:40:37 -0700

Hello,

Running March 10 snapshot, I've got httpd setup with slowcgi happily
churning out scripts. However, I've run into a permissions issue trying
to run /sbin/pfctl from within a script.



Default permissions on /dev/pf...
alix:/home/admin $ ls -lh /dev/pf
crw-------  1 root  wheel   73,   0 Mar 11 15:03 /dev/pf


CGI script:
#!/bin/ksh
printf "Content-type: text/html\n\n"
printf "Hello!\n"
printf "\n"
printf "`pfctl -sr`"

doas.conf:
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel

httpd debug output:
pfctl:
/dev/pf: Permission denied

captive_user 10.0.0.56 - - [25/Mar/2016:09:56:22 -0700] "GET
/cgi-bin/test.cgi HTTP/1.1" 200 0



When script and doas.conf are setup as below, the httpd output is
slightly different.

CGI script:
#!/bin/ksh
printf "Content-type: text/html\n\n"
printf "Hello!\n"
printf "\n"
printf "`doas pfctl -sr`"
         ^^^^

doas.conf:
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
permit nopass www as root cmd /sbin/pfctl
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

httpd debug output:
doas:
Operation not permitted

captive_user 10.0.0.56 - - [25/Mar/2016:10:06:59 -0700] "GET
/cgi-bin/test.cgi HTTP/1.1" 200 0



Short of changing permissions on /dev/pf am I missing something with
doas?


dmesg output:
OpenBSD 5.9-current (GENERIC) #1584: Thu Mar 10 21:02:23 MST 2016
    [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 267931648 (255MB)
avail mem = 250359808 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
...snip


Any help is appreciated.


Regards,

-- 
Byron Klippert      
  [email protected]
  c. 867-336-1306

httpd slowcgi permission advice

Reply via email to