Displaying System Uptime via CGI script: not displayed when script is run under chroot.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Kihaguru Gathura
Hi All,

I have a small problem here. I am unable to display uptime online.


THE PROBLEM:

A: Section 6 below: Why is the system uptime string not displayed when the
cgi script is run under chroot?

B: Section 4 below: Why does running uptime program under chroot yield time
that is not accurate? 6:54PM while the actual time was 9:54PM produced by
running uptime as root immediately after.



1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
****************************************************************************************



2: DIRECTORY PERMISSIONS THE DEFAULT

*****************************************************************************************
# cd /var/www
# ls -l
total 40
drwxr-xr-x  2 root  daemon  512 Feb 26  2016 bin
drwx-----T  2 www   daemon  512 Feb 26  2016 cache
drwxr-xr-x  3 root  daemon  512 Sep 25 21:08 cgi-bin
drwxr-xr-x  2 root  daemon  512 Aug 16 13:45 conf
drwxr-xr-x  4 root  daemon  512 Aug 31 10:48 htdocs
-rw-------  1 www   daemon   69 Aug 27 08:15 htpasswd
drwxr-xr-x  2 root  daemon  512 Sep 25 00:00 logs
drwxr-xr-x  2 root  daemon  512 Sep 24 09:44 run
drwxr-xr-x  5 root  daemon  512 Sep 21 16:38 usr
drwxr-xr-x  3 root  daemon  512 Sep 24 00:28 var
#
******************************************************************************************



3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME.

******************************************************************************************
# vi /var/www/cgi-bin/myuptimer.c
#include <stdio.h>

int main(void)
{
        printf("Content-Type: text/plain;charset=us-ascii\n\n");
        fflush(stdout);
        system("/usr/bin/uptime");
        fflush(stdout);

  return 0;
}

******************************************************************************************



4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT

********************************************************************************************
# cp /usr/bin/uptime  /var/www/usr/bin
# cp /usr/lib/libkvm.so.16.1  /var/www/usr/lib
# cp /usr/lib/libc.so.84.2  /var/www/usr/lib
# cp /usr/libexec/ld.so  /var/www/usr/libexec
# cp /var/run/utmp  /var/www/var/run
#
# chroot -u www /var/www uptime
 6:54PM   up  1  day,  12:09, 2 users, load averages: 0.11, 0.13, 0.18
#
# uptime
 9:54PM   up  1  day,  12:09, 1 user, load average: 0.11, 0.12, 0.13
*********************************************************************************************



5: RUNNING MYUPTIMER CGI PROGRAM  AS ROOT YIELDS GOOD RESULT

******************************************************************************************
# /var/www/cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii

 9:54PM   up  1  day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17
*******************************************************************************************



6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO:
    DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT.

******************************************************************************************
# chroot -u www /var/www /cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii


*******************************************************************************************





Regards,

Kihaguru.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
/var/www/cgi-bin/uptimer.c: unmodified: line 1

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Alceu R. de Freitas Jr.
Em 25-09-2016 17:12, Kihaguru Gathura escreveu:
> Hi All,
>
> I have a small problem here. I am unable to display uptime online.
>

Yes, you have a conceptual problem. You're doing a CGI that executes a
binary. If, by any reason, /usr/bin/uptime is replaced with a malicious
program, you're in trouble.

I don't even know the details of chroot OpenBSD, but an educated guess
is that in such environment you can't have access to some resources
uptime needs, that's why you can do it with root.

Since you're already dealing with C code, I recommended checking the
uptime source code and see what it does. Anyway, system() under CGI
environment will create a second (short lived) process that you can
avoid if you reproduce what uptime code does in your CGI.

Also, I'm not a C programmer, but I guess somewhere there is a library
you can include in your CGI instead doing system().

Last, but not least... not sure why C is your language of choice for CGI.

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Raul Miller
In reply to this post by Kihaguru Gathura
A simple workaround might be to create a cron script which writes
uptime to a file once a minute.

If that is inadequate, it's probably worth getting into what problem
you are trying to solve.

I hope this helps,

--
Raul


On Sun, Sep 25, 2016 at 4:12 PM, Kihaguru Gathura
<[hidden email]> wrote:

> Hi All,
>
> I have a small problem here. I am unable to display uptime online.
>
>
> THE PROBLEM:
>
> A: Section 6 below: Why is the system uptime string not displayed when the
> cgi script is run under chroot?
>
> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.
>
>
>
> 1: OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
> ****************************************************************************************
>
>
>
> 2: DIRECTORY PERMISSIONS THE DEFAULT
>
> *****************************************************************************************
> # cd /var/www
> # ls -l
> total 40
> drwxr-xr-x  2 root  daemon  512 Feb 26  2016 bin
> drwx-----T  2 www   daemon  512 Feb 26  2016 cache
> drwxr-xr-x  3 root  daemon  512 Sep 25 21:08 cgi-bin
> drwxr-xr-x  2 root  daemon  512 Aug 16 13:45 conf
> drwxr-xr-x  4 root  daemon  512 Aug 31 10:48 htdocs
> -rw-------  1 www   daemon   69 Aug 27 08:15 htpasswd
> drwxr-xr-x  2 root  daemon  512 Sep 25 00:00 logs
> drwxr-xr-x  2 root  daemon  512 Sep 24 09:44 run
> drwxr-xr-x  5 root  daemon  512 Sep 21 16:38 usr
> drwxr-xr-x  3 root  daemon  512 Sep 24 00:28 var
> #
> ******************************************************************************************
>
>
>
> 3: A CGI PROGRAM NAMED MYUPTIMER THAT SHOULD DISPLAY SYSTEM UPTIME.
>
> ******************************************************************************************
> # vi /var/www/cgi-bin/myuptimer.c
> #include <stdio.h>
>
> int main(void)
> {
>         printf("Content-Type: text/plain;charset=us-ascii\n\n");
>         fflush(stdout);
>         system("/usr/bin/uptime");
>         fflush(stdout);
>
>   return 0;
> }
>
> ******************************************************************************************
>
>
>
> 4: INSTALLING AND TESTING UPTIME PROGRAM UNDER CHROOT
>
> ********************************************************************************************
> # cp /usr/bin/uptime  /var/www/usr/bin
> # cp /usr/lib/libkvm.so.16.1  /var/www/usr/lib
> # cp /usr/lib/libc.so.84.2  /var/www/usr/lib
> # cp /usr/libexec/ld.so  /var/www/usr/libexec
> # cp /var/run/utmp  /var/www/var/run
> #
> # chroot -u www /var/www uptime
>  6:54PM   up  1  day,  12:09, 2 users, load averages: 0.11, 0.13, 0.18
> #
> # uptime
>  9:54PM   up  1  day,  12:09, 1 user, load average: 0.11, 0.12, 0.13
> *********************************************************************************************
>
>
>
> 5: RUNNING MYUPTIMER CGI PROGRAM  AS ROOT YIELDS GOOD RESULT
>
> ******************************************************************************************
> # /var/www/cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>  9:54PM   up  1  day, 12:10, 1 user, load averages: 0.10, 0.12, 0.17
> *******************************************************************************************
>
>
>
> 6: HOWEVER RUNNING MYUPTIMER CGI PROGRAM UNDER CHROOT NOT SO:
>     DISPLAYS OTHER TEXT BUT THE UPTIME STRING IS NOT OUTPUT.
>
> ******************************************************************************************
> # chroot -u www /var/www /cgi-bin/myuptimer.cgi
> Content-Type: text/plain;charset=us-ascii
>
>
> *******************************************************************************************
>
>
>
>
>
> Regards,
>
> Kihaguru.
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> ~
> /var/www/cgi-bin/uptimer.c: unmodified: line 1

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Alceu R. de Freitas Jr.
In reply to this post by Alceu R. de Freitas Jr.
Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:
>
> Last, but not least... not sure why C is your language of choice for CGI.
>

And looks like you're reinventing the wheel:
https://httpd.apache.org/docs/2.4/mod/mod_status.html

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Kihaguru Gathura
Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
and on a private network environment in perspective of security concerns.

Kind regards,

Kihaguru.

On Sun, Sep 25, 2016 at 11:57 PM, Alceu Rodrigues de Freitas Junior <
[hidden email]> wrote:

> Em 25-09-2016 17:49, Alceu Rodrigues de Freitas Junior escreveu:
>
>>
>> Last, but not least... not sure why C is your language of choice for CGI.
>>
>>
> And looks like you're reinventing the wheel:
> https://httpd.apache.org/docs/2.4/mod/mod_status.html

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Alexander Hall
In reply to this post by Kihaguru Gathura
On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:

> B: Section 4 below: Why does running uptime program under chroot yield time
> that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> running uptime as root immediately after.

$ man localtime

specifically, you need to copy /etc/localtime into the chroot.

/Alexander

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Alexander Hall
On Sun, Sep 25, 2016 at 11:29:46PM +0200, Alexander Hall wrote:
> On Sun, Sep 25, 2016 at 11:12:56PM +0300, Kihaguru Gathura wrote:
>
> > B: Section 4 below: Why does running uptime program under chroot yield time
> > that is not accurate? 6:54PM while the actual time was 9:54PM produced by
> > running uptime as root immediately after.
>
> $ man localtime
>
> specifically, you need to copy /etc/localtime into the chroot.

Hrm, lemme rephrase.  Within the chroot, reading /etc/localtime should
give you the contents of your local time zone file.  Outside the chroot,
it's normally a symlink into /usr/share/zoneinfo/<your_timezone_here>.

/Alexander

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Stuart Henderson
In reply to this post by Kihaguru Gathura
On 2016-09-25, Kihaguru Gathura <[hidden email]> wrote:
> Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
> and on a private network environment in perspective of security concerns.

Raul's suggestion, "A simple workaround might be to create a cron script
which writes uptime to a file once a minute", seems far saner from a
security point of view than letting anyone who can hit port 80 execute
a program.

Reply | Threaded
Open this post in threaded view
|

Re: Displaying System Uptime via CGI script: not displayed when script is run under chroot.

Kihaguru Gathura
And finally,

Conclusion.

(A: Section 6 below: Why is the system uptime string not displayed when the
cgi script is run under chroot?)

/bin/sh is needed at chroot for command interpretation.


(B: Section 4 below: Why does running uptime program under chroot yield
time
that is not accurate? 6:54PM while the actual time was 9:54PM produced by
running uptime as root immediately after.)

/etc/localtime is needed at chroot for correct local time. (by Alexander)

/********************************************************/
# chroot -u www /var/www /cgi-bin/myuptimer.cgi
Content-Type: text/plain;charset=us-ascii

 1:31PM   up   3:24, 1 user, load averages: 0.06, 0.08, 0.08
/********************************************************/

However, the cron script workaround (by Raul) should be adopted for
security reasons as suggested unanimously.

Thanks to all.

Kihaguru


On Mon, Sep 26, 2016 at 7:19 PM, Stuart Henderson <[hidden email]>
wrote:

> On 2016-09-25, Kihaguru Gathura <[hidden email]> wrote:
> > Thank you for ongoing suggestions, The web server in use is OpenBSD httpd
> > and on a private network environment in perspective of security concerns.
>
> Raul's suggestion, "A simple workaround might be to create a cron script
> which writes uptime to a file once a minute", seems far saner from a
> security point of view than letting anyone who can hit port 80 execute
> a program.