Re: security.html

2016-09-25 Thread Theo de Raadt 
> Hello,
> 
> I have a suggestion to reduce the amount of maintenance work
> necessary for errata.
> 
> Why not just have a link to errata.html on the security.html page,
> instead of each releases' errata? Each releases' errata is already
> accessible on the errata.html page anyway.
> 
> This is just a suggestion; whilst I think the current setup is easy to
> navigate, I imagine this change above can save a some maintenance work
> from the developer end.

It moved to the way it is today because it is easy to maintain, and
easy for people to navitigate.

Not all errata are for security.

security.html

2016-09-25 Thread bytevolcano 
Hello,

I have a suggestion to reduce the amount of maintenance work
necessary for errata.

Why not just have a link to errata.html on the security.html page,
instead of each releases' errata? Each releases' errata is already
accessible on the errata.html page anyway.

This is just a suggestion; whilst I think the current setup is easy to
navigate, I imagine this change above can save a some maintenance work
from the developer end.

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Alexander Hall 
On Sun, Sep 25, 2016 at 11:29:46PM +0200, Alexander Hall wrote:
> On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:
> 
> > B: Section 4 below: Why does running uptime program under chroot yield time
> > that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> > running uptime as root immediately after.
> 
> $ man localtime
> 
> specifically, you need to copy /etc/localtime into the chroot.

Hrm, lemme rephrase.  Within the chroot, reading /etc/localtime should
give you the contents of your local time zone file.  Outside the chroot,
it's normally a symlink into /usr/share/zoneinfo/.

/Alexander

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Alexander Hall 
On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:

> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.

$ man localtime

specifically, you need to copy /etc/localtime into the chroot.

/Alexander

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Kihaguru Gathura 
Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
and on a private network environment in perspective of security concerns.

Kind regards,

Kihaguru.

On Sun, Sep 25, 2016 at 11:57 PM, Alceu Rodrigues de Freitas Junior <
glasswal...@yahoo.com.br> wrote:

> Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:
>
>>
>> Last, but not least... not sure why C is your language of choice for CGI.
>>
>>
> And looks like you're reinventing the wheel:
> https://httpd.apache.org/docs/2.4/mod/mod_status.html

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Alceu Rodrigues de Freitas Junior 

Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:


Last, but not least... not sure why C is your language of choice for CGI.



And looks like you're reinventing the wheel: 
https://httpd.apache.org/docs/2.4/mod/mod_status.html

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Raul Miller 
A simple workaround might be to create a cron script which writes
uptime to a file once a minute.

If that is inadequate, it's probably worth getting into what problem
you are trying to solve.

I hope this helps,

-- 
Raul


On Sun, Sep 25, 2016 at 4:12 PM, Kihaguru Gathura
 wrote:
> Hi All,
>
> I have a small problem here. I am unable to display uptime online.
>
>
> THE PROBLEM:
>
> A: Section 6 below: Why is the system uptime string not displayed when the
> cgi script is run under chroot?
>
> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.
>
>
>
> 1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
> 
>
>
>
> 2: DIRECTORY PERMISSIONS THE DEFAULT
>
> *
> # cd /var/www
> # ls -l
> total 40
> drwxr-xr-x  2 root  daemon  512 Feb 26  2016 bin
> drwx-T  2 www   daemon  512 Feb 26  2016 cache
> drwxr-xr-x  3 root  daemon  512 Sep 25 21:08 cgi-bin
> drwxr-xr-x  2 root  daemon  512 Aug 16 13:45 conf
> drwxr-xr-x  4 root  daemon  512 Aug 31 10:48 htdocs
> -rw---  1 www   daemon   69 Aug 27 08:15 htpasswd
> drwxr-xr-x  2 root  daemon  512 Sep 25 00:00 logs
> drwxr-xr-x  2 root  daemon  512 Sep 24 09:44 run
> drwxr-xr-x  5 root  daemon  512 Sep 21 16:38 usr
> drwxr-xr-x  3 root  daemon  512 Sep 24 00:28 var
> #
> **
>
>
>
> 3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME.
>
> **
> # vi /var/www/cgi-bin/myuptimer.c
> #include 
>
> int main(void)
> {
> printf("Content-Type: text/plain;charset=us-ascii\n\n");
> fflush(stdout);
> system("/usr/bin/uptime");
> fflush(stdout);
>
>   return 0;
> }
>
> **
>
>
>
> 4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT
>
> 
> # cp /usr/bin/uptime  /var/www/usr/bin
> # cp /usr/lib/libkvm.so.16.1  /var/www/usr/lib
> # cp /usr/lib/libc.so.84.2  /var/www/usr/lib
> # cp /usr/libexec/ld.so  /var/www/usr/libexec
> # cp /var/run/utmp  /var/www/var/run
> #
> # chroot -u www /var/www uptime
>  6:54PM   up  1  day,  12:09, 2 users, load averages: 0.11, 0.13, 0.18
> #
> # uptime
>  9:54PM   up  1  day,  12:09, 1 user, load average: 0.11, 0.12, 0.13
> *
>
>
>
> 5: RUNNING MYUPTIMER CGI PROGRAM  AS ROOT YIELDS GOOD RESULT
>
> **
> # /var/www/cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>  9:54PM   up  1  day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17
> ***
>
>
>
> 6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO:
> DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT.
>
> **
> # chroot -u www /var/www /cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>
> ***
>
>
>
>
>
> Regards,
>
> Kihaguru.
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> /var/www/cgi-bin/uptimer.c: unmodified: line 1

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Alceu Rodrigues de Freitas Junior 

Em 25-09-2016 17:12, Kihaguru Gathura escreveu:

Hi All,

I have a small problem here. I am unable to display uptime online.



Yes, you have a conceptual problem. You're doing a CGI that executes a 
binary. If, by any reason, /usr/bin/uptime is replaced with a malicious 
program, you're in trouble.


I don't even know the details of chroot OpenBSD, but an educated guess 
is that in such environment you can't have access to some resources 
uptime needs, that's why you can do it with root.


Since you're already dealing with C code, I recommended checking the 
uptime source code and see what it does. Anyway, system() under CGI 
environment will create a second (short lived) process that you can 
avoid if you reproduce what uptime code does in your CGI.


Also, I'm not a C programmer, but I guess somewhere there is a library 
you can include in your CGI instead doing system().


Last, but not least... not sure why C is your language of choice for CGI.

Displaying System Uptime via CGI script: not displayed when script is run under chroot.

2016-09-25 Thread Kihaguru Gathura 
Hi All,

I have a small problem here. I am unable to display uptime online.


THE PROBLEM:

A: Section 6 below: Why is the system uptime string not displayed when the
cgi script is run under chroot?

B: Section 4 below: Why does running uptime program under chroot yield time
that is not accurate? 6:54PM while the actual time was 9:54PM produced by
running uptime as root immediately after.



1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016




2: DIRECTORY PERMISSIONS THE DEFAULT

*
# cd /var/www
# ls -l
total 40
drwxr-xr-x  2 root  daemon  512 Feb 26  2016 bin
drwx-T  2 www   daemon  512 Feb 26  2016 cache
drwxr-xr-x  3 root  daemon  512 Sep 25 21:08 cgi-bin
drwxr-xr-x  2 root  daemon  512 Aug 16 13:45 conf
drwxr-xr-x  4 root  daemon  512 Aug 31 10:48 htdocs
-rw---  1 www   daemon   69 Aug 27 08:15 htpasswd
drwxr-xr-x  2 root  daemon  512 Sep 25 00:00 logs
drwxr-xr-x  2 root  daemon  512 Sep 24 09:44 run
drwxr-xr-x  5 root  daemon  512 Sep 21 16:38 usr
drwxr-xr-x  3 root  daemon  512 Sep 24 00:28 var
#
**



3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME.

**
# vi /var/www/cgi-bin/myuptimer.c
#include 

int main(void)
{
printf("Content-Type: text/plain;charset=us-ascii\n\n");
fflush(stdout);
system("/usr/bin/uptime");
fflush(stdout);

  return 0;
}

**



4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT


# cp /usr/bin/uptime  /var/www/usr/bin
# cp /usr/lib/libkvm.so.16.1  /var/www/usr/lib
# cp /usr/lib/libc.so.84.2  /var/www/usr/lib
# cp /usr/libexec/ld.so  /var/www/usr/libexec
# cp /var/run/utmp  /var/www/var/run
#
# chroot -u www /var/www uptime
 6:54PM   up  1  day,  12:09, 2 users, load averages: 0.11, 0.13, 0.18
#
# uptime
 9:54PM   up  1  day,  12:09, 1 user, load average: 0.11, 0.12, 0.13
*



5: RUNNING MYUPTIMER CGI PROGRAM  AS ROOT YIELDS GOOD RESULT

**
# /var/www/cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii

 9:54PM   up  1  day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17
***



6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO:
DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT.

**
# chroot -u www /var/www /cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii


***





Regards,

Kihaguru.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
/var/www/cgi-bin/uptimer.c: unmodified: line 1