NEW: www/hiawatha-5.4

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

NEW: www/hiawatha-5.4

Antoine Jacoutot
pkg/DESCR
Hiawatha is a secure webserver for Unix. It has been written with 'being
secure' as its main goal.  Hiawatha has many security features that no
other webserver has.
Hiawatha does not have all the fancy features, but it is very secure and
fast and is really easy to configure.  Rootjail, run CGIs under any
uid/gid you want, prevention of SQL injection and cross-site scripting,
banning of clients who try such exploits and many other features make
Hiawatha an interesting webserver for those who need more security than
what the other available webservers are offering.

Tested under i386, sparc64 and macppc.
comments? ok?

--
Antoine

hiawatha.tar.gz (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Joachim Schipper
On Fri, Dec 29, 2006 at 07:30:12AM +0100, Antoine Jacoutot wrote:

> pkg/DESCR
> Hiawatha is a secure webserver for Unix. It has been written with 'being
> secure' as its main goal.  Hiawatha has many security features that no
> other webserver has.
> Hiawatha does not have all the fancy features, but it is very secure and
> fast and is really easy to configure.  Rootjail, run CGIs under any
> uid/gid you want, prevention of SQL injection and cross-site scripting,
> banning of clients who try such exploits and many other features make
> Hiawatha an interesting webserver for those who need more security than
> what the other available webservers are offering.
>
> Tested under i386, sparc64 and macppc.
> comments? ok?

I'll try to give it a spin tomorrow, but I find it hard to reconcile the
above with
http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2
(Marc Espie (espie@) says he is 'shuddering about what a full scale
audit would reveal'). Even if you disagree with Marc, wouldn't it be a
good idea to have some warning somewhere - perhaps in a SECURITY file?

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Antoine Jacoutot
On Fri, 29 Dec 2006, Joachim Schipper wrote:
> I'll try to give it a spin tomorrow, but I find it hard to reconcile the
> above with
> http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2
> (Marc Espie (espie@) says he is 'shuddering about what a full scale
> audit would reveal'). Even if you disagree with Marc, wouldn't it be a
> good idea to have some warning somewhere - perhaps in a SECURITY file?

While I totally understand Marc's comment, he just wonders "what a full
scale audit would reveal"... maybe nothing!
By the way, this is true for other ports too.
For info, the daemon cannot be run at root. It is a small software so it
shouldn't be to hard to audit if people want to.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Joachim Schipper
On Sun, Dec 31, 2006 at 02:18:54PM +0100, Antoine Jacoutot wrote:

> On Fri, 29 Dec 2006, Joachim Schipper wrote:
> >I'll try to give it a spin tomorrow, but I find it hard to reconcile the
> >above with
> >http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2
> >(Marc Espie (espie@) says he is 'shuddering about what a full scale
> >audit would reveal'). Even if you disagree with Marc, wouldn't it be a
> >good idea to have some warning somewhere - perhaps in a SECURITY file?
>
> While I totally understand Marc's comment, he just wonders "what a full
> scale audit would reveal"... maybe nothing!
> By the way, this is true for other ports too.
> For info, the daemon cannot be run at root. It is a small software so it
> shouldn't be to hard to audit if people want to.

Oh, it's certainly not the only port with questionable security - but
remember that Ethereal was pulled from the tree explicitly for its lack
of security, and also note that something like php or ImageMagick -
which are useful, but not as secure as one might like - doesn't have a
MESSAGE boasting that it is the next big security revolution.

Also, sorry for the slow reaction on the first post - it got stuck on my
laptop, that'll teach me to mess around with Postfix without restoring
the settings later. And sorry for this slow message - I'd promised to
test it earlier, and it's already committed (it builds fine, FWIW).

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Antoine Jacoutot
On Sun, 31 Dec 2006, Joachim Schipper wrote:
> Oh, it's certainly not the only port with questionable security - but
> remember that Ethereal was pulled from the tree explicitly for its lack

Yes, but it was running as root IIRC.

> of security, and also note that something like php or ImageMagick -
> which are useful, but not as secure as one might like - doesn't have a
> MESSAGE boasting that it is the next big security revolution.

Exactly.

> Also, sorry for the slow reaction on the first post - it got stuck on my
> laptop, that'll teach me to mess around with Postfix without restoring
> the settings later. And sorry for this slow message - I'd promised to
> test it earlier, and it's already committed (it builds fine, FWIW).

Hey no problem. Late feedback is better than no feedback. Before
committing it, hiawatha was tested under i386, amd64, sparc64, macppc and
zaurus ;-)

Cheers!

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Adam-29
In reply to this post by Antoine Jacoutot
Antoine Jacoutot <[hidden email]> wrote:

> On Fri, 29 Dec 2006, Joachim Schipper wrote:
> > I'll try to give it a spin tomorrow, but I find it hard to reconcile the
> > above with
> > http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2
> > (Marc Espie (espie@) says he is 'shuddering about what a full scale
> > audit would reveal'). Even if you disagree with Marc, wouldn't it be a
> > good idea to have some warning somewhere - perhaps in a SECURITY file?
>
> While I totally understand Marc's comment, he just wonders "what a full
> scale audit would reveal"... maybe nothing!
> By the way, this is true for other ports too.

Its not that the software may be insecure that's the issue.  Its the current
trend of people writing software and putting "secure" into its feature list
as if that is all it takes to make it secure.  The DESCR should not brag
about how secure it is unless its actually true.  A little "the author claims
its secure, but it hasn't been audited" note or something would be nice.

Adam

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Antoine Jacoutot
On Sun, 31 Dec 2006, Adam wrote:
> as if that is all it takes to make it secure.  The DESCR should not brag
> about how secure it is unless its actually true.  A little "the author claims
> its secure, but it hasn't been audited" note or something would be nice.

Hum actually that makes sense.
I'll look into that.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Marc Espie-2
In reply to this post by Joachim Schipper
Well,  I was probably a bit harsh on my first comments wrt hiawatha.
One actually nice feature of this program is that it is reasonably
small. Someone with incentive could probably audit it.

Since it is under the GPL, the OpenBSD project has little incentive
in looking at it very closely...

Antoine fixed hiawatha so that it does not abuse user nobody, so that one
issue doesn't exist on OpenBSD.

Just looking shows me there is probably a race condition on signals.
Using the same variable for TERM/USR1/USR2 is asking for trouble...
and the variable is an int, not a sigatomic_t (whch is innocuous on
most arches, but still).

Some printf's are not portable... like printing getpid with %d (okay,
this is a stretch).

the str2int function has absolutely no overflow handling.... and uses 48
directly, which is totally icky. This means that a few functions have no
protection against user error, which is probably not too bad.

Like I already noticed, there is no handler for seg faults, not even
something to log an error message (which is about all that should happen,
but this SHOULD happen).

I've looked a bit more, but the coding layout is a bit bizarre. I'm not
a big fan of code that indents out to column 160 or so...

There are LOTS of hand-coded length computations based on strings, and use
of unsafe string functions, or error-prone stuff (between atoi, str2int,
strncpy, and friends...).  I don't think it's incredibly bad, but it doesn't
look incredibly good either...

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Marc Balmer-2
Marc Espie wrote:
> Well,  I was probably a bit harsh on my first comments wrt hiawatha.
> One actually nice feature of this program is that it is reasonably
> small. Someone with incentive could probably audit it.
>
> Since it is under the GPL, the OpenBSD project has little incentive
> in looking at it very closely...

You might want to a closer look a www/nostromo, a secure and small
webserver written by mglocker@.

>
> Antoine fixed hiawatha so that it does not abuse user nobody, so that one
> issue doesn't exist on OpenBSD.
>
> Just looking shows me there is probably a race condition on signals.
> Using the same variable for TERM/USR1/USR2 is asking for trouble...
> and the variable is an int, not a sigatomic_t (whch is innocuous on
> most arches, but still).
>
> Some printf's are not portable... like printing getpid with %d (okay,
> this is a stretch).
>
> the str2int function has absolutely no overflow handling.... and uses 48
> directly, which is totally icky. This means that a few functions have no
> protection against user error, which is probably not too bad.
>
> Like I already noticed, there is no handler for seg faults, not even
> something to log an error message (which is about all that should happen,
> but this SHOULD happen).
>
> I've looked a bit more, but the coding layout is a bit bizarre. I'm not
> a big fan of code that indents out to column 160 or so...
>
> There are LOTS of hand-coded length computations based on strings, and use
> of unsafe string functions, or error-prone stuff (between atoi, str2int,
> strncpy, and friends...).  I don't think it's incredibly bad, but it doesn't
> look incredibly good either...
>

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Toni Mueller-7
In reply to this post by Antoine Jacoutot

Hi,

On Sun, 31.12.2006 at 14:18:54 +0100, Antoine Jacoutot <[hidden email]> wrote:
> While I totally understand Marc's comment, he just wonders "what a full
> scale audit would reveal"... maybe nothing!

ugh. Bad assumption if you try to be "secure by default".

> By the way, this is true for other ports too.
> For info, the daemon cannot be run at root. It is a small software so it
> shouldn't be to hard to audit if people want to.

FWIW, I was also recently looking for a small webserver after I
initially looked into lighttpd, and came across nginx which I find
even more promising.


Best,
--Toni++

Reply | Threaded
Open this post in threaded view
|

Re: NEW: www/hiawatha-5.4

Nikns Siankin
On Thu, Jan 11, 2007 at 11:09:29AM +0100, Toni Mueller wrote:

>
>Hi,
>
>On Sun, 31.12.2006 at 14:18:54 +0100, Antoine Jacoutot <[hidden email]> wrote:
>> While I totally understand Marc's comment, he just wonders "what a full
>> scale audit would reveal"... maybe nothing!
>
>ugh. Bad assumption if you try to be "secure by default".
>
>> By the way, this is true for other ports too.
>> For info, the daemon cannot be run at root. It is a small software so it
>> shouldn't be to hard to audit if people want to.
>
>FWIW, I was also recently looking for a small webserver after I
>initially looked into lighttpd, and came across nginx which I find
>even more promising.

http://secure.lv/~nikns/stuff/ports/nginx-0.4.7.tar
if interested
it is very popular in ex-soviet-union ;]
infact, jan[lighttpd] and sesojev[nginx] are exchanging with ideas
and perhaps with code, dono.


>
>
>Best,
>--Toni++
>