Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
And finally, Conclusion. (A: Section 6 below: Why is the system uptime string not displayed when the cgi script is run under chroot?) /bin/sh is needed at chroot for command interpretation. (B: Section 4 below: Why does running uptime program under chroot yield time that is not accurate? 6:54PM while the actual time was 9:54PM produced by running uptime as root immediately after.) /etc/localtime is needed at chroot for correct local time. (by Alexander) // # chroot -u www /var/www /cgi-bin/myuptimer.cgi Content-Type: text/plain;charset=us-ascii 1:31PM up 3:24, 1 user, load averages: 0.06, 0.08, 0.08 // However, the cron script workaround (by Raul) should be adopted for security reasons as suggested unanimously. Thanks to all. Kihaguru On Mon, Sep 26, 2016 at 7:19 PM, Stuart Hendersonwrote: > On 2016-09-25, Kihaguru Gathura wrote: > > Thank you for ongoing suggestions, The web server in use is OpenBSD httpd > > and on a private network environment in perspective of security concerns. > > Raul's suggestion, "A simple workaround might be to create a cron script > which writes uptime to a file once a minute", seems far saner from a > security point of view than letting anyone who can hit port 80 execute > a program.
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
On 2016-09-25, Kihaguru Gathurawrote: > Thank you for ongoing suggestions, The web server in use is OpenBSD httpd > and on a private network environment in perspective of security concerns. Raul's suggestion, "A simple workaround might be to create a cron script which writes uptime to a file once a minute", seems far saner from a security point of view than letting anyone who can hit port 80 execute a program.
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
On Sun, Sep 25, 2016 at 11:29:46PM +0200, Alexander Hall wrote: > On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote: > > > B: Section 4 below: Why does running uptime program under chroot yield time > > that is not accurate? 6:54PM while the actual time was 9:54PM produced by > > running uptime as root immediately after. > > $ man localtime > > specifically, you need to copy /etc/localtime into the chroot. Hrm, lemme rephrase. Within the chroot, reading /etc/localtime should give you the contents of your local time zone file. Outside the chroot, it's normally a symlink into /usr/share/zoneinfo/. /Alexander
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote: > B: Section 4 below: Why does running uptime program under chroot yield time > that is not accurate? 6:54PM while the actual time was 9:54PM produced by > running uptime as root immediately after. $ man localtime specifically, you need to copy /etc/localtime into the chroot. /Alexander
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
Thank you for ongoing suggestions, The web server in use is OpenBSD httpd and on a private network environment in perspective of security concerns. Kind regards, Kihaguru. On Sun, Sep 25, 2016 at 11:57 PM, Alceu Rodrigues de Freitas Junior < glasswal...@yahoo.com.br> wrote: > Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu: > >> >> Last, but not least... not sure why C is your language of choice for CGI. >> >> > And looks like you're reinventing the wheel: > https://httpd.apache.org/docs/2.4/mod/mod_status.html
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu: Last, but not least... not sure why C is your language of choice for CGI. And looks like you're reinventing the wheel: https://httpd.apache.org/docs/2.4/mod/mod_status.html
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
A simple workaround might be to create a cron script which writes uptime to a file once a minute. If that is inadequate, it's probably worth getting into what problem you are trying to solve. I hope this helps, -- Raul On Sun, Sep 25, 2016 at 4:12 PM, Kihaguru Gathurawrote: > Hi All, > > I have a small problem here. I am unable to display uptime online. > > > THE PROBLEM: > > A: Section 6 below: Why is the system uptime string not displayed when the > cgi script is run under chroot? > > B: Section 4 below: Why does running uptime program under chroot yield time > that is not accurate? 6:54PM while the actual time was 9:54PM produced by > running uptime as root immediately after. > > > > 1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016 > > > > > 2: DIRECTORY PERMISSIONS THE DEFAULT > > * > # cd /var/www > # ls -l > total 40 > drwxr-xr-x 2 root daemon 512 Feb 26 2016 bin > drwx-T 2 www daemon 512 Feb 26 2016 cache > drwxr-xr-x 3 root daemon 512 Sep 25 21:08 cgi-bin > drwxr-xr-x 2 root daemon 512 Aug 16 13:45 conf > drwxr-xr-x 4 root daemon 512 Aug 31 10:48 htdocs > -rw--- 1 www daemon 69 Aug 27 08:15 htpasswd > drwxr-xr-x 2 root daemon 512 Sep 25 00:00 logs > drwxr-xr-x 2 root daemon 512 Sep 24 09:44 run > drwxr-xr-x 5 root daemon 512 Sep 21 16:38 usr > drwxr-xr-x 3 root daemon 512 Sep 24 00:28 var > # > ** > > > > 3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME. > > ** > # vi /var/www/cgi-bin/myuptimer.c > #include > > int main(void) > { > printf("Content-Type: text/plain;charset=us-ascii\n\n"); > fflush(stdout); > system("/usr/bin/uptime"); > fflush(stdout); > > return 0; > } > > ** > > > > 4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT > > > # cp /usr/bin/uptime /var/www/usr/bin > # cp /usr/lib/libkvm.so.16.1 /var/www/usr/lib > # cp /usr/lib/libc.so.84.2 /var/www/usr/lib > # cp /usr/libexec/ld.so /var/www/usr/libexec > # cp /var/run/utmp /var/www/var/run > # > # chroot -u www /var/www uptime > 6:54PM up 1 day, 12:09, 2 users, load averages: 0.11, 0.13, 0.18 > # > # uptime > 9:54PM up 1 day, 12:09, 1 user, load average: 0.11, 0.12, 0.13 > * > > > > 5: RUNNING MYUPTIMER CGI PROGRAM AS ROOT YIELDS GOOD RESULT > > ** > # /var/www/cgi-bin/myuptimer.cgi > Content-Type: text/plain;charset=us-ascii > > 9:54PM up 1 day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17 > *** > > > > 6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO: > DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT. > > ** > # chroot -u www /var/www /cgi-bin/myuptimer.cgi > Content-Type: text/plain;charset=us-ascii > > > *** > > > > > > Regards, > > Kihaguru. > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > ~ > /var/www/cgi-bin/uptimer.c: unmodified: line 1
Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.
Em 25-09-2016 17:12, Kihaguru Gathura escreveu: Hi All, I have a small problem here. I am unable to display uptime online. Yes, you have a conceptual problem. You're doing a CGI that executes a binary. If, by any reason, /usr/bin/uptime is replaced with a malicious program, you're in trouble. I don't even know the details of chroot OpenBSD, but an educated guess is that in such environment you can't have access to some resources uptime needs, that's why you can do it with root. Since you're already dealing with C code, I recommended checking the uptime source code and see what it does. Anyway, system() under CGI environment will create a second (short lived) process that you can avoid if you reproduce what uptime code does in your CGI. Also, I'm not a C programmer, but I guess somewhere there is a library you can include in your CGI instead doing system(). Last, but not least... not sure why C is your language of choice for CGI.