On 2020/05/10 16:22, Tom Smyth wrote:
> Hello
> the following diff is for the smokeping readme to assist users
> in getting smokeping as an fcgi with httpd
> while trying to maintain the chroot jail for the smokeping webpage...
> if any one has comments on the approach i have taken or if it can be
> done more securely.
> my approach was to try to run the smokeping web front end in a similar fashion
> to bgplg
> comments / corrections welcome
bgplg is designed to run in a jail, it is a small C program and even
then it needs specially compiled versions of the external dependencies
(ping, bgpctl etc).
Smokeping isn't - if you want to run the graph generating part of
smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot
more is needed - a copy of perl and various modules, rrdtool,
rrdtool's library dependencies, fonts, and I think there were config
files for some of the libraries. I did this in the past but it's a
real mess and easy to break at update time, and the amount of things
copied in means that the chroot ends up more as "luxury camping" than
"jail" ;)
For the most secure setup I'd recommend generating the graphs as
static files from a cronjob and skip the cgi, then smokeping doesn't
have to deal with untrusted input. This can result in high loads if
you monitor a lot of endpoints and rarely look at the graphs though.
If you need the CGI then my approach to securing it (and most other
web applications) is to run it on a machine or VM that doesn't have
much in the way of private data on it, and firewall off outbound
traffic - only allow what is necessary (ping probes, etc).
> diff /usr/local/share/doc/pkg-readmes/smokeping
> /usr/local/share/doc/pkg-readmes/smokeping-tom
> 24a25,26
> >
> >
> 45a48,89
> >
> > Smokeping as an fcgi with OpenBSD's httpd
> > ==============================
> > The following is an example configuration of httpd.conf so
> > that it will run smokping fcgi
> >
> > server "your.ip.address." {
> > listen on * port 80
> > location "/smokeping/smokeping.fcgi*" {
> > fastcgi socket "/run/smokeping.sock"
> > root "/"
> > }
> >
> > }
> >
> > # the following creates the directory for smokeping datafiles
> > mkdir /var/db/smokeping
> > chown _smokeping /var/db/smokeping
Maybe I can have it create that automatically in pkg/PLIST, I'll take
a look (though I think there was a reason why I didn't..)
> > the following copies the /etc/smokeping/config so that the config
> > is available in the chrootjail
> >
> > mkdir -p /var/www/etc/smokeping
> > cp /etc/smokeping/config /var/www/etc/smokeping
> > rm /etc/smokeping/config
> > ln -s /var/www/etc/smokeping /etc/smokeping/config
smokeping_fcgi runs outside the chroot and accesses the config files
directly in /etc/smokeping, so that shouldn't be needed.
> > cp /usr/local/bin/smokeping_cgi /var/www/cgi-bin/
> > chmod 0555 /var/www/cgi-bin/smokeping_cgi
> >
> >
> > #edit smokeping.fcgi to call the fcgi in cgi-bin
> > echo #!/bin/sh >/var/www/htdocs/smokeping/smokeping.fcgi
> > echo exec /cgi-bin/smokeping_cgi /etc/smokeping/config
> > >>/var/www/htdocs/smokeping/smokeping.fcgi
I only run /usr/sbin/httpd for occasional tests so may not be 100% up
to speed on this, but the way I read the httpd.conf sample above I think
it will connect directly to the socket and doesn't need a file in
/var/www/htdocs/smokeping (and if it's present, then the contents don't
matter). I'll try to have a look at this with a test setup sometime..
