From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Peeking at unbound statistics from WUI Date: Mon, 21 Jan 2019 11:02:59 +0000 Message-ID: In-Reply-To: =?utf-8?q?=3CAM0PR03MB4932BA80DE9C25FB099EDAC2B69E0=40AM0PR03MB?= =?utf-8?q?4932=2Eeurprd03=2Eprod=2Eoutlook=2Ecom=3E?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4937007264962767397==" List-Id: --===============4937007264962767397== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, > On 20 Jan 2019, at 17:07, Rachid Groeneveld = wrote: >=20 > Hi Bob and Michael, > =20 > Thanks for the responses. Since the below is missing information I will try= to recap and answer: > =20 > >> On 17 Jan 2019, at 20:15, Rachid Groeneveld wrote: > >>=20 > >> Hi all, > >> =20 > >> I'm fairly new to perl and cgi scripts, I can find most of it on the web= , but I've been unable to solve this riddle. Is it possible to query the unbo= und statistics from a cgi script? I can't seem to figure out how to do this w= ithout cron-ing a bash script and reading its output, I want them on-demand w= hen a page is requested. > >=20 > >That depends on what you need. > >=20 > >The CGI scripts can in theory run any shell command. Those commands will b= e executed as an unprivileged user called =E2=80=9Cnobody=E2=80=9D so that no= body else who gains access through a vulnerability in the web UI can change t= he system configuration for which root permissions would be required. > >=20 > >For some special actions - for example reboot - we have special binaries t= hat can then gain root privileges and perform very specific actions only. > =20 > I think this is exactly the way it should work, I will read into those bina= ries and how to use 'em, thanks for the pointer. I don't have any desires to = compromise security/safety in favor of reporting purposes. > =20 > >> I think it's a permission issue, as far as I've been able to assess the = webpages run under 'nobody' and unbound-control needs elevated rights to exec= ute a peek at the statistics. I'm using the following command to do so: =E2= =80=9Cunbound-control stats_noreset=E2=80=9D. That way I can query all the DN= S info I want (for reporting purposes), because I don't think unbound was com= piled with dnstap enabled. At least I haven't found anything to back that up,= that would eliminate the need for peeking at stats, because an up-to-date da= tabase can be built (async). I will further investigate dnstap in a later sta= ge. > >=20 > >Running that command fails as follows: > >=20 > >[root(a)ipfire ~]# sudo -u nobody unbound-control stats > >error: Error setting up SSL_CTX client cert > >/etc/unbound/unbound_control.pem: Permission denied > >=20 > >The certificate that unbound uses is only supposed to be read by root. > =20 > I figured as much, this only confirms the need to a specific binary to solv= e the issue. > =20 > >> Can someone point me in the right direction for peeking unbound statisti= cs from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80=99d rather not= , for security reasons), separate bash scripts and qx/backticks, they all see= m to fail with exit code 256 which seems to be a permission problem. Running = anything from an SSH session obviously succeeds, because then I have all the = rights I need. > >=20 > >Depending how fit you are with C, you can build such a =E2=80=9Csetuid bin= ary=E2=80=9D yourself. There is plenty of inspiration here: > >=20 > > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD > >=20 > >But since you have said that you are not a developer, this might be a litt= le bit hard :) Let me know where I can help out. > =20 > I need to carefully read into this and see what it's all about and how I sh= ould use it. To be continued =F0=9F=98=89 > =20 > >What are you building with all this? > >=20 > >Best, > >-Michael > =20 > I've been looking at PiHole and Firewalla and I like how those dashboards a= re pleasing to the eye and wanted to achieve the same within IPFire. I think = it's quite possible and IPFire hosts way more functionality, so why not the f= ancy dashboard? With that in mind I looked for info on the themes in IPF, I f= ound that someone - a few years ago - already created an admin dashboard, but= I never received responses to my communication attempts. So I thought, what = the heck, I'll just create the dashboard myself, but in order to actually - h= ave a dashboard - I need metrics. PiHole has an FTL implementation which incl= udes (parts of) Unbound and they're able to show quite a bit of interesting i= nformation (see attachment, apologies for the size I had to google it). Firew= alla has the same, but is more tailored to SOHO and is managed through an app. > =20 > TLDR; I want the dashboard to show metrics you can work with, like PiHole d= oes. The whole controlling DNS and traffic part is not yet part of the scope.= I already queried the network info (I used parts of other cgi's), DNS is the= next step and then firewall stats (blocked/dropped, maybe per country etc.) Yes, they are quite pretty to look at. I am not entirely sure why people are = so much in love with them because many dashboards out there (not talking abou= t anything specifically) do not transport much information. They just show th= at the =E2=80=9Csystem is busy=E2=80=9D. I am not sure whether that is useful= information or not. IPFire doesn=E2=80=99t have a very pretty stats section, but it does the job.= The main job is to show what has happened over time. That is in recent histo= ry like =E2=80=9Clast week=E2=80=9D or =E2=80=9Cyesterday=E2=80=9D so that pr= oblems with the system can be spotted very easily; and showing trends over ti= me so that people can see if bandwidth usage has =E2=80=9Cdoubled=E2=80=9D ov= er a year or so. That would be information I care about. We have a thing called collecty which is supposed to achieve that in IPFire 3= . It collects various system statistics, but you can probably add unbound and= some other sources, too. It is written in Python which makes it easier to ex= tend - although it has a little C module to talk to hard drives. It potential= ly could be ported to IPFire 2.=20 Maybe it is worth having a look at that. IPFire 2 right now has loads of diff= erent scripts and tools that collect statistics. It would be nice to have thi= s all in the same place and use it where ever we want to present this data. Here is the code: https://git.ipfire.org/?p=3Doddments/collecty.git;a=3Dsummary This is an example graph in SVG: https://people.ipfire.org/~ms/graph.svg Right now, there is no mechanism to get the raw data, but that is trivial to = add. We could store the last hour with a really high resolution to make JS gr= aphs looks nice, too. -Michael > =20 > Cheers! > =20 > -----Oorspronkelijk bericht----- > Van: Development Namens Bob Brewer > Verzonden: zaterdag 19 januari 2019 11:44 > Aan: development(a)lists.ipfire.org > Onderwerp: Re: Peeking at unbound statistics from WUI > =20 > Michael Tremer wrote: > =20 > >> Can someone point me in the right direction for peeking unbound > >> statistics from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80= =99d rather > >> not, for security reasons), separate bash scripts and qx/backticks, > >> they all seem to fail with exit code 256 which seems to be a permission = problem. > >> Running anything from an SSH session obviously succeeds, because then > >> I have all the rights I need. > >=20 > > Depending how fit you are with C, you can build such a =E2=80=9Csetuid bi= nary=E2=80=9D > > yourself. There is plenty of inspiration here: > >=20 > I had the same problem when porting the IPCop Banish addon to IPFire becaus= e the setuid binary program that was bundled with the original Banish addon d= id not run on a lot of the hardware I was using for testing. > =20 > As a workaround I added my update command to /etc/sudoers as nobody ALL= =3DNOPASSWD: /your/command/here so it can be run from the cgi with sudo. > =20 > I suspect that this has security implications so use at your own risk. > =20 > > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a > > 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD > >=20 > > But since you have said that you are not a developer, this might be a > > little bit hard :) Let me know where I can help out. > >=20 > =20 > Thank you for the links Michael this should be the way I should go with Ban= ish. I'll see if get something compiled for my prog. > =20 > HTH > =20 > Rob > =20 > --===============4937007264962767397==--