Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Kihaguru Gathura]

And finally,

Conclusion.

(A: Section 6 below: Why is the system uptime string not displayed when the
cgi script is run under chroot?)

/bin/sh is needed at chroot for command interpretation.


(B: Section 4 below: Why does running uptime program under chroot yield
time
that is not accurate? 6:54PM while the actual time was 9:54PM produced by
running uptime as root immediately after.)

/etc/localtime is needed at chroot for correct local time. (by Alexander)

//
# chroot -u www /var/www /cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii

 1:31PM   up   3:24, 1 user, load averages: 0.06, 0.08, 0.08
//

However, the cron script workaround (by Raul) should be adopted for
security reasons as suggested unanimously.

Thanks to all.

Kihaguru


On Mon, Sep 26, 2016 at 7:19 PM, Stuart Henderson 
wrote:

> On 2016-09-25, Kihaguru Gathura  wrote:
> > Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
> > and on a private network environment in perspective of security concerns.
>
> Raul's suggestion, "A simple workaround might be to create a cron script
> which writes uptime to a file once a minute", seems far saner from a
> security point of view than letting anyone who can hit port 80 execute
> a program.

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Stuart Henderson]

On 2016-09-25, Kihaguru Gathura  wrote:
> Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
> and on a private network environment in perspective of security concerns.

Raul's suggestion, "A simple workaround might be to create a cron script
which writes uptime to a file once a minute", seems far saner from a
security point of view than letting anyone who can hit port 80 execute
a program.

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Alexander Hall]

On Sun, Sep 25, 2016 at 11:29:46PM +0200, Alexander Hall wrote:
> On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:
> 
> > B: Section 4 below: Why does running uptime program under chroot yield time
> > that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> > running uptime as root immediately after.
> 
> $ man localtime
> 
> specifically, you need to copy /etc/localtime into the chroot.

Hrm, lemme rephrase.  Within the chroot, reading /etc/localtime should
give you the contents of your local time zone file.  Outside the chroot,
it's normally a symlink into /usr/share/zoneinfo/.

/Alexander

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Alexander Hall]

On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:

> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.

$ man localtime

specifically, you need to copy /etc/localtime into the chroot.

/Alexander

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Kihaguru Gathura]

Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
and on a private network environment in perspective of security concerns.

Kind regards,

Kihaguru.

On Sun, Sep 25, 2016 at 11:57 PM, Alceu Rodrigues de Freitas Junior <
glasswal...@yahoo.com.br> wrote:

> Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:
>
>>
>> Last, but not least... not sure why C is your language of choice for CGI.
>>
>>
> And looks like you're reinventing the wheel:
> https://httpd.apache.org/docs/2.4/mod/mod_status.html

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Alceu Rodrigues de Freitas Junior]

Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:


Last, but not least... not sure why C is your language of choice for CGI.



And looks like you're reinventing the wheel: 
https://httpd.apache.org/docs/2.4/mod/mod_status.html

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Raul Miller]

A simple workaround might be to create a cron script which writes
uptime to a file once a minute.

If that is inadequate, it's probably worth getting into what problem
you are trying to solve.

I hope this helps,

-- 
Raul


On Sun, Sep 25, 2016 at 4:12 PM, Kihaguru Gathura
 wrote:
> Hi All,
>
> I have a small problem here. I am unable to display uptime online.
>
>
> THE PROBLEM:
>
> A: Section 6 below: Why is the system uptime string not displayed when the
> cgi script is run under chroot?
>
> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.
>
>
>
> 1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
> 
>
>
>
> 2: DIRECTORY PERMISSIONS THE DEFAULT
>
> *
> # cd /var/www
> # ls -l
> total 40
> drwxr-xr-x  2 root  daemon  512 Feb 26  2016 bin
> drwx-T  2 www   daemon  512 Feb 26  2016 cache
> drwxr-xr-x  3 root  daemon  512 Sep 25 21:08 cgi-bin
> drwxr-xr-x  2 root  daemon  512 Aug 16 13:45 conf
> drwxr-xr-x  4 root  daemon  512 Aug 31 10:48 htdocs
> -rw---  1 www   daemon   69 Aug 27 08:15 htpasswd
> drwxr-xr-x  2 root  daemon  512 Sep 25 00:00 logs
> drwxr-xr-x  2 root  daemon  512 Sep 24 09:44 run
> drwxr-xr-x  5 root  daemon  512 Sep 21 16:38 usr
> drwxr-xr-x  3 root  daemon  512 Sep 24 00:28 var
> #
> **
>
>
>
> 3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME.
>
> **
> # vi /var/www/cgi-bin/myuptimer.c
> #include 
>
> int main(void)
> {
> printf("Content-Type: text/plain;charset=us-ascii\n\n");
> fflush(stdout);
> system("/usr/bin/uptime");
> fflush(stdout);
>
>   return 0;
> }
>
> **
>
>
>
> 4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT
>
> 
> # cp /usr/bin/uptime  /var/www/usr/bin
> # cp /usr/lib/libkvm.so.16.1  /var/www/usr/lib
> # cp /usr/lib/libc.so.84.2  /var/www/usr/lib
> # cp /usr/libexec/ld.so  /var/www/usr/libexec
> # cp /var/run/utmp  /var/www/var/run
> #
> # chroot -u www /var/www uptime
>  6:54PM   up  1  day,  12:09, 2 users, load averages: 0.11, 0.13, 0.18
> #
> # uptime
>  9:54PM   up  1  day,  12:09, 1 user, load average: 0.11, 0.12, 0.13
> *
>
>
>
> 5: RUNNING MYUPTIMER CGI PROGRAM  AS ROOT YIELDS GOOD RESULT
>
> **
> # /var/www/cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>  9:54PM   up  1  day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17
> ***
>
>
>
> 6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO:
> DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT.
>
> **
> # chroot -u www /var/www /cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>
> ***
>
>
>
>
>
> Regards,
>
> Kihaguru.
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> /var/www/cgi-bin/uptimer.c: unmodified: line 1

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

[Alceu Rodrigues de Freitas Junior]

Em 25-09-2016 17:12, Kihaguru Gathura escreveu:

Hi All,

I have a small problem here. I am unable to display uptime online.



Yes, you have a conceptual problem. You're doing a CGI that executes a 
binary. If, by any reason, /usr/bin/uptime is replaced with a malicious 
program, you're in trouble.


I don't even know the details of chroot OpenBSD, but an educated guess 
is that in such environment you can't have access to some resources 
uptime needs, that's why you can do it with root.


Since you're already dealing with C code, I recommended checking the 
uptime source code and see what it does. Anyway, system() under CGI 
environment will create a second (short lived) process that you can 
avoid if you reproduce what uptime code does in your CGI.


Also, I'm not a C programmer, but I guess somewhere there is a library 
you can include in your CGI instead doing system().


Last, but not least... not sure why C is your language of choice for CGI.