Hiawatha and OpenBSD

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Hiawatha and OpenBSD

Marco Spiga-2
###############################################################################
Package Information for hiawatha-6.11.tgz (alpha)

   [ FTP 1 ] [ FTP 2 ] [ Package Contents ]
     __________________________________________________________________

Hiawatha is a webserver that has been written with 'being secure' as its
main goal.  Hiawatha has many security features that no other webserver
has.
Hiawatha does not have all the fancy features, but it is fast and really
easy to configure.  Rootjail, run CGIs under any uid/gid you want,
prevention of SQL injection and cross-site scripting, banning of clients
who try such exploits and many other features make it an interesting
webserver for those who need more security than what others are
offering (please note that while the author claims it's secure, this
software has not been audited by the OpenBSD team).

Maintainer: The OpenBSD ports mailing-list <[hidden email]>

###############################################################################

Hi.

Is there anyone of you that have really tested cgi-wrapper into
OpenBSD 4.5?
Who is the REALLY MANTEINER?

Please help me.

Marco
--
                                !!!!! Messaggio da Marco !!!!!

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Antoine Jacoutot-7
On Mon, 21 Sep 2009, Marco Spiga wrote:

> ###############################################################################
> Package Information for hiawatha-6.11.tgz (alpha)
>
>    [ FTP 1 ] [ FTP 2 ] [ Package Contents ]
>      __________________________________________________________________
>
> Hiawatha is a webserver that has been written with 'being secure' as its
> main goal.  Hiawatha has many security features that no other webserver
> has.
> Hiawatha does not have all the fancy features, but it is fast and really
> easy to configure.  Rootjail, run CGIs under any uid/gid you want,
> prevention of SQL injection and cross-site scripting, banning of clients
> who try such exploits and many other features make it an interesting
> webserver for those who need more security than what others are
> offering (please note that while the author claims it's secure, this
> software has not been audited by the OpenBSD team).
>
> Maintainer: The OpenBSD ports mailing-list <[hidden email]>
>
> ###############################################################################
>
> Hi.
>
> Is there anyone of you that have really tested cgi-wrapper into
> OpenBSD 4.5?
> Who is the REALLY MANTEINER?

Dude, I already answered to you.
I am looking into this but I'm not at your disposal. If you want
commercial support, then pay for it and it'll go faster.

Heck now I don't even want to look into this anymore at all...

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Stuart Henderson-6
In reply to this post by Marco Spiga-2
On 2009/09/21 16:51, Marco Spiga wrote:
> Package Information for hiawatha-6.11.tgz (alpha)
[..]
>
> Maintainer: The OpenBSD ports mailing-list <[hidden email]>
>
> ###############################################################################
>
> Hi.
>
> Is there anyone of you that have really tested cgi-wrapper into
> OpenBSD 4.5?

No idea..

> Who is the REALLY MANTEINER?

Nobody at the moment.

I've just tried a simple setup with this on -current and it doesn't seem
to call cgi-wrapper at all. But I don't know this software so I'm not sure
if I've correctly configured it.

$ ls -ul /usr/local/sbin/cgi-wrapper  
-r-sr-xr-x  1 root  bin  24616 Sep 21 16:16 /usr/local/sbin/cgi-wrapper

...make a request...

$ ls -ul /usr/local/sbin/cgi-wrapper  
-r-sr-xr-x  1 root  bin  24616 Sep 21 16:16 /usr/local/sbin/cgi-wrapper

So, no change in access time, this program wasn't run. (Also confirmed
with ktrace -ip `cat /var/run/hiawatha.pid`, <make req>, ktrace -C,
kdump | grep cgi-wrapper).

From the forum posts about this;
http://www.hiawatha-webserver.org/forum/topic/286

Hugo Leisink 13 September 2009, 10:33
>>I tried to run OpenBSD 4.5 a VMware environment, but all it does is
>>crash or hang with 100% CPU usage.

I've run most recent versions of OpenBSD under ESXi, certainly including
4.5, with no problems at all. (I wouldn't use it in production but it's
a handy test environment). I'm also certain there are people running it
under VMware Fusion.

>>                                   If OpenBSD is this unstable, it's not
>>hard to guess why cgi-wrapper won't run....

This seems a bit unprofessional if you ask me.

Hugo Leisink 15 September 2009, 08:21
>>I tried OpenBSD in VirtualBox, but it also crashes. This time, it even
>>crashed during installation! You can see a crash screenshot here.

There have been long-standing bugs in VirtualBox which OpenBSD bumps
into. If OpenBSD hits these, some other software is likely to too,
I would rather know the emulation is buggy up-front so I can avoid it,
rather than try and hide it in the software that demonstrates the bugs...
 http://www.virtualbox.org/ticket/639

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Antoine Jacoutot-7
In reply to this post by Antoine Jacoutot-7
On Mon, 21 Sep 2009, Antoine Jacoutot wrote:
> > OpenBSD 4.5?
> > Who is the REALLY MANTEINER?
>
> Dude, I already answered to you.
> I am looking into this but I'm not at your disposal. If you want
> commercial support, then pay for it and it'll go faster.
>
> Heck now I don't even want to look into this anymore at all...

Ok, I've tried a perl cgi program with hiawatha, running as an
unpriviledged user with success.
I don't know where your issue comes from, maybe your cgi script has some
linuxism, no idea.

Anyway, I'll update the port today, maybe it'll help you.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Marco Spiga-2
On Tue, Sep 22, 2009 at 10:58:16AM +0200, Antoine Jacoutot wrote:

> Date: Tue, 22 Sep 2009 10:58:16 +0200 (CEST)
> From: Antoine Jacoutot <[hidden email]>
> Subject: Re: Hiawatha and OpenBSD
> To: Marco Spiga <[hidden email]>
> cc: [hidden email]
>
> On Mon, 21 Sep 2009, Antoine Jacoutot wrote:
> > > OpenBSD 4.5?
> > > Who is the REALLY MANTEINER?
> >
> > Dude, I already answered to you.
> > I am looking into this but I'm not at your disposal. If you want
> > commercial support, then pay for it and it'll go faster.
I apologize if I've axles you!
> >
> > Heck now I don't even want to look into this anymore at all...
>
> Ok, I've tried a perl cgi program with hiawatha, running as an
> unpriviledged user with success.
If I have understand, you have hiawatha that work with uid/gid (for example)
'_hiawatha:_hiawatha' and your perl script setup with permission like:
-rwxr-x--- 1 user virtservuser /var/pathofyourperlscript/script.pl ??????

Very good!
> I don't know where your issue comes from, maybe your cgi script has some
> linuxism, no idea.
If your script perl work fine, please can you send me it?
>
> Anyway, I'll update the port today, maybe it'll help you.
Thank you.

I try it.
>
> --
> Antoine

Bye!

Marco

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Antoine Jacoutot-7
On Tue, 22 Sep 2009, Marco Spiga wrote:
> If I have understand, you have hiawatha that work with uid/gid (for example)
> '_hiawatha:_hiawatha' and your perl script setup with permission like:
> -rwxr-x--- 1 user virtservuser /var/pathofyourperlscript/script.pl ??????

yes.


--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Marco Spiga-2
In reply to this post by Stuart Henderson-6
On Mon, Sep 21, 2009 at 04:59:46PM +0100, Stuart Henderson wrote:

> Date: Mon, 21 Sep 2009 16:59:46 +0100
> From: Stuart Henderson <[hidden email]>
> Subject: Re: Hiawatha and OpenBSD
> To: Marco Spiga <[hidden email]>
> Cc: [hidden email]
> Mail-Followup-To: Marco Spiga <[hidden email]>, [hidden email]
>
> On 2009/09/21 16:51, Marco Spiga wrote:
> > Package Information for hiawatha-6.11.tgz (alpha)
> [..]
> >
> > Maintainer: The OpenBSD ports mailing-list <[hidden email]>
> >
> > ###############################################################################
> >
> > Hi.
> >
> > Is there anyone of you that have really tested cgi-wrapper into
> > OpenBSD 4.5?
>
> No idea..
>
> > Who is the REALLY MANTEINER?
>
> Nobody at the moment.

Ok Stuart :-(

>
> I've just tried a simple setup with this on -current and it doesn't seem
> to call cgi-wrapper at all. But I don't know this software so I'm not sure
> if I've correctly configured it.
*** If you want I give you very little and simple configuration
(hiawatha.conf and cgi.wrapper) and very little perl script that work fine
under linux (debian lenny under very small monolithic kernel 2.6.30.5)

>
> $ ls -ul /usr/local/sbin/cgi-wrapper  
> -r-sr-xr-x  1 root  bin  24616 Sep 21 16:16 /usr/local/sbin/cgi-wrapper
>
> ...make a request...
>
> $ ls -ul /usr/local/sbin/cgi-wrapper  
> -r-sr-xr-x  1 root  bin  24616 Sep 21 16:16 /usr/local/sbin/cgi-wrapper
>
> So, no change in access time, this program wasn't run. (Also confirmed
> with ktrace -ip `cat /var/run/hiawatha.pid`, <make req>, ktrace -C,
> kdump | grep cgi-wrapper).
>
> >From the forum posts about this;
> http://www.hiawatha-webserver.org/forum/topic/286
>
> Hugo Leisink 13 September 2009, 10:33
> >>I tried to run OpenBSD 4.5 a VMware environment, but all it does is
> >>crash or hang with 100% CPU usage.
>
> I've run most recent versions of OpenBSD under ESXi, certainly including
> 4.5, with no problems at all. (I wouldn't use it in production but it's
> a handy test environment). I'm also certain there are people running it
> under VMware Fusion.
>
> >>                                   If OpenBSD is this unstable, it's not
> >>hard to guess why cgi-wrapper won't run....
>
> This seems a bit unprofessional if you ask me.
Personally I think many times better shut up and give the impression of
being idiot than to speak and remove all doubt....

I do not think (I hope not) that Hugo have written him with bad intentions
and I must admit that I always helped where he could!

I hope only that the two plans on what marked to security can coexist together.

...... also for the good of open source.

in over twenty years working in telecommunications I have learned a little, but that little I understood that it is not expedient lost in discussions without point of no return!

I've already written too ;-)


>
> Hugo Leisink 15 September 2009, 08:21
> >>I tried OpenBSD in VirtualBox, but it also crashes. This time, it even
> >>crashed during installation! You can see a crash screenshot here.
>
> There have been long-standing bugs in VirtualBox which OpenBSD bumps
> into. If OpenBSD hits these, some other software is likely to too,
> I would rather know the emulation is buggy up-front so I can avoid it,
> rather than try and hide it in the software that demonstrates the bugs...
>  http://www.virtualbox.org/ticket/639

I prefer to work without virtual machines ;-)

Thank for your clear and polite respons Stuart.


*** Contact me to my mail address if you want file configuration.


I am sorry for my bad english (Fortunately there is google translate)


--
                                !!!!! Messaggio da Marco !!!!!

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Marco Spiga-2
In reply to this post by Antoine Jacoutot-7
On Tue, Sep 22, 2009 at 05:24:28PM +0200, Antoine Jacoutot wrote:

> Date: Tue, 22 Sep 2009 17:24:28 +0200 (CEST)
> From: Antoine Jacoutot <[hidden email]>
> Subject: Re: Hiawatha and OpenBSD
> To: Marco Spiga <[hidden email]>
> cc: [hidden email]
>
> On Tue, 22 Sep 2009, Marco Spiga wrote:
> > If I have understand, you have hiawatha that work with uid/gid (for example)
> > '_hiawatha:_hiawatha' and your perl script setup with permission like:
> > -rwxr-x--- 1 user virtservuser /var/pathofyourperlscript/script.pl ??????
>
> yes.
>
>
> --
> Antoine

Ok Antoine

I try with trivial " rwxr-x--- 1 user virtservuser ...... printenv.cgi"

-- start of content:

#!/bin/sh

echo "Content-Type: text/plain"
echo "Hello World"
printenv
id

-- end of content

Do you think that will run this shell script under OpenBSD?


Many Thanks


--
                                !!!!! Messaggio da Marco !!!!!

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Matthew Weigel
Marco Spiga wrote:

> I try with trivial " rwxr-x--- 1 user virtservuser ...... printenv.cgi"
>
> -- start of content:
>
> #!/bin/sh
>
> echo "Content-Type: text/plain"
> echo "Hello World"
> printenv
> id
>
> -- end of content
>
> Do you think that will run this shell script under OpenBSD?

You'll need one more newline between "Content-Type: text/plain" and
"Hello World".
--
  Matthew Weigel
  hacker
  unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Marco Spiga-2
On Tue, Sep 22, 2009 at 01:46:16PM -0500, Matthew Weigel wrote:

> Date: Tue, 22 Sep 2009 13:46:16 -0500
> From: Matthew Weigel <[hidden email]>
> Subject: Re: Hiawatha and OpenBSD
> To: [hidden email]
>
> Marco Spiga wrote:
>
>> I try with trivial " rwxr-x--- 1 user virtservuser ...... printenv.cgi"
>>
>> -- start of content:
>>
>> #!/bin/sh
>>
>> echo "Content-Type: text/plain"
>> echo "Hello World"
>> printenv
>> id
>>
>> -- end of content
>>
>> Do you think that will run this shell script under OpenBSD?
>
> You'll need one more newline between "Content-Type: text/plain" and  
> "Hello World".
> --
>  Matthew Weigel
>  hacker
>  unique & idempot . ent

Thanks for your response Matthew

I have tried it.

The real problem is that Hiawatha and OpenBSD not be precisely agree.

I already have use openbsd with small projects (firewall for dmz, djbdns, radius ecc...).

I have spent many days of work to solve problem, and I really think actually
there is no solution to solve it (confirmed also by Stuart Henderson that it
appears me a person with really technical capacity and very friendly)

I am sorry to admit it but in this case ......
OpenBSD I need only to consume electricity.

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Stuart Henderson
On 2009/09/23 19:48, Marco Spiga wrote:
> I have spent many days of work to solve problem, and I really think actually
> there is no solution to solve it (confirmed also by Stuart Henderson that it
> appears me a person with really technical capacity and very friendly)

well, ajacoutot@ (who I think knows this software better than me, since
the only time I used it was to look at this) did get it to work, so it's
probably worth trying again...

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha and OpenBSD

Marco Spiga-2
On Wed, Sep 23, 2009 at 07:17:48PM +0100, Stuart Henderson wrote:

> Date: Wed, 23 Sep 2009 19:17:48 +0100
> From: Stuart Henderson <[hidden email]>
> Subject: Re: Hiawatha and OpenBSD
> To: Marco Spiga <[hidden email]>
> Cc: ports <[hidden email]>
> Mail-Followup-To: Marco Spiga <[hidden email]>, ports <[hidden email]>
>
> On 2009/09/23 19:48, Marco Spiga wrote:
> > I have spent many days of work to solve problem, and I really think actually
> > there is no solution to solve it (confirmed also by Stuart Henderson that it
> > appears me a person with really technical capacity and very friendly)
>
> well, ajacoutot@ (who I think knows this software better than me, since
> the only time I used it was to look at this) did get it to work, so it's
> probably worth trying again...

Hi Stuart :-)

As you can see from previous mail, it have give me a replied telling that works
well..... :-|

#############################################################################
> On Tue, 22 Sep 2009, Marco Spiga wrote:
> If I have understand, you have hiawatha that work with uid/gid (for example)
> '_hiawatha:_hiawatha' and your perl script setup with permission like:
> -rwxr-x--- 1 user virtservuser /var/pathofyourperlscript/script.pl ??????

yes.


--
Antoine
##############################################################################

At this point, what I can do?
I don't have request help about configuration of OpenBSD or of Hiawatha, but I
have only post a problem about an "anomaly" of a software package included in
OpenBSD.


--
                                !!!!! Messaggio da Marco !!!!!