bgplg ping/traceroute failed

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

bgplg ping/traceroute failed

Henry Bonath
Hello Misc,

I had thought that I had configured the looking glass correctly per the man
page,
I have everything else working correctly, with custom header and footer
with CSS and all works great.
Whenever I attempt to ping/traceroute from the webpage, it simlpy reports:
"failed."

Here is what permissions look like: (set to 4555, per the man page)
# ls -l /var/www/bin
total 3584
-r-xr-xr-x  1 root  bin  336016 Apr 13 16:35 bgpctl
-r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping
-r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping6
-r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute
-r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute6

OpenBSD version is 6.5 amd64.

Is there anything I am missing that I would need to do in order to make
this work?
Thanks in advance!
-Henry
Reply | Threaded
Open this post in threaded view
|

Re: bgplg ping/traceroute failed

Theo de Raadt-2
Henry Bonath <[hidden email]> wrote:

> Hello Misc,
>
> I had thought that I had configured the looking glass correctly per the man
> page,
> I have everything else working correctly, with custom header and footer
> with CSS and all works great.
> Whenever I attempt to ping/traceroute from the webpage, it simlpy reports:
> "failed."
>
> Here is what permissions look like: (set to 4555, per the man page)
> # ls -l /var/www/bin
> total 3584
> -r-xr-xr-x  1 root  bin  336016 Apr 13 16:35 bgpctl
> -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping
> -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping6
> -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute
> -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute6
>
> OpenBSD version is 6.5 amd64.
>
> Is there anything I am missing that I would need to do in order to make
> this work?

Those setuid binaries require a filesystem which is mounted correctly.

Cannot have the options "noexec, nosuid"

btw, those setuid binaries are heavily priv-drop.  But to avoid having
the entire filesystem outside of this dir open, you could consider
making just this directory it's own mini filesystem, it's just an
extra bit of containment.

Reply | Threaded
Open this post in threaded view
|

Re: bgplg ping/traceroute failed

Henry Bonath
Thanks Theo, that thought had briefly crossed my mind, and it looks like
you are correct!

/dev/sd0e on /var type ffs (local, nodev, nosuid)

I appreciate your quick response!
-Henry


On Thu, Oct 3, 2019 at 2:10 PM Theo de Raadt <[hidden email]> wrote:

> Henry Bonath <[hidden email]> wrote:
>
> > Hello Misc,
> >
> > I had thought that I had configured the looking glass correctly per the
> man
> > page,
> > I have everything else working correctly, with custom header and footer
> > with CSS and all works great.
> > Whenever I attempt to ping/traceroute from the webpage, it simlpy
> reports:
> > "failed."
> >
> > Here is what permissions look like: (set to 4555, per the man page)
> > # ls -l /var/www/bin
> > total 3584
> > -r-xr-xr-x  1 root  bin  336016 Apr 13 16:35 bgpctl
> > -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping
> > -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping6
> > -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute
> > -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute6
> >
> > OpenBSD version is 6.5 amd64.
> >
> > Is there anything I am missing that I would need to do in order to make
> > this work?
>
> Those setuid binaries require a filesystem which is mounted correctly.
>
> Cannot have the options "noexec, nosuid"
>
> btw, those setuid binaries are heavily priv-drop.  But to avoid having
> the entire filesystem outside of this dir open, you could consider
> making just this directory it's own mini filesystem, it's just an
> extra bit of containment.
>
Reply | Threaded
Open this post in threaded view
|

Re: bgplg ping/traceroute failed

Claudio Jeker
In reply to this post by Henry Bonath
On Thu, Oct 03, 2019 at 02:07:58PM -0400, Henry Bonath wrote:

> Hello Misc,
>
> I had thought that I had configured the looking glass correctly per the man
> page,
> I have everything else working correctly, with custom header and footer
> with CSS and all works great.
> Whenever I attempt to ping/traceroute from the webpage, it simlpy reports:
> "failed."
>
> Here is what permissions look like: (set to 4555, per the man page)
> # ls -l /var/www/bin
> total 3584
> -r-xr-xr-x  1 root  bin  336016 Apr 13 16:35 bgpctl
> -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping
> -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping6
> -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute
> -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute6

The ping* and traceroute* binaries need to be setuid root not setuid www.
The root privs are needed to open the raw socket after that privs are
dropped. Also check the mail from Theo about nosuid mount option on /var
 
> OpenBSD version is 6.5 amd64.
>
> Is there anything I am missing that I would need to do in order to make
> this work?
> Thanks in advance!
> -Henry

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: bgplg ping/traceroute failed

Henry Bonath
Claudio,

Thank you - that's what I was missing.
I made the change to the fstab in order to test per Theo's recommendation
on the mount point options,
However I was not able to get it to work until I changed the owner to root.

It also sounds like Theo is recommending a separate partition, which I will
definitely do since this thing will be public-facing.

Again, I appreciate you guys taking the time to explain this to me!
-Henry

On Thu, Oct 3, 2019 at 2:56 PM Claudio Jeker <[hidden email]>
wrote:

> On Thu, Oct 03, 2019 at 02:07:58PM -0400, Henry Bonath wrote:
> > Hello Misc,
> >
> > I had thought that I had configured the looking glass correctly per the
> man
> > page,
> > I have everything else working correctly, with custom header and footer
> > with CSS and all works great.
> > Whenever I attempt to ping/traceroute from the webpage, it simlpy
> reports:
> > "failed."
> >
> > Here is what permissions look like: (set to 4555, per the man page)
> > # ls -l /var/www/bin
> > total 3584
> > -r-xr-xr-x  1 root  bin  336016 Apr 13 16:35 bgpctl
> > -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping
> > -r-sr-xr-x  2 www   bin  366536 Apr 13 16:35 ping6
> > -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute
> > -r-sr-xr-x  2 www   bin  325320 Apr 13 16:35 traceroute6
>
> The ping* and traceroute* binaries need to be setuid root not setuid www.
> The root privs are needed to open the raw socket after that privs are
> dropped. Also check the mail from Theo about nosuid mount option on /var
>
> > OpenBSD version is 6.5 amd64.
> >
> > Is there anything I am missing that I would need to do in order to make
> > this work?
> > Thanks in advance!
> > -Henry
>
> --
> :wq Claudio
>