From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Peeking at unbound statistics from WUI Date: Mon, 21 Jan 2019 06:35:28 -0500 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4212124264299390986==" List-Id: --===============4212124264299390986== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable While we are discussing useful statistics that would be nice to have, Smokepi= ng would be a really nice thing to have, along with the ability to specify a = custom time window. Sometimes I want to see more than an hour, but less than = a day, etc. Tom > On Jan 21, 2019, at 6:03 AM, Michael Tremer w= rote: >=20 > Hey, >=20 >> On 20 Jan 2019, at 17:07, Rachid Groeneveld wrote: >>=20 >> Hi Bob and Michael, >>=20 >> Thanks for the responses. Since the below is missing information I will tr= y to recap and answer: >>=20 >>>> On 17 Jan 2019, at 20:15, Rachid Groeneveld wrote: >>>>=20 >>>> Hi all, >>>>=20 >>>> I'm fairly new to perl and cgi scripts, I can find most of it on the web= , but I've been unable to solve this riddle. Is it possible to query the unbo= und statistics from a cgi script? I can't seem to figure out how to do this w= ithout cron-ing a bash script and reading its output, I want them on-demand w= hen a page is requested. >>>=20 >>> That depends on what you need. >>>=20 >>> The CGI scripts can in theory run any shell command. Those commands will = be executed as an unprivileged user called =E2=80=9Cnobody=E2=80=9D so that n= obody else who gains access through a vulnerability in the web UI can change = the system configuration for which root permissions would be required. >>>=20 >>> For some special actions - for example reboot - we have special binaries = that can then gain root privileges and perform very specific actions only. >>=20 >> I think this is exactly the way it should work, I will read into those bin= aries and how to use 'em, thanks for the pointer. I don't have any desires to= compromise security/safety in favor of reporting purposes. >>=20 >>>> I think it's a permission issue, as far as I've been able to assess the = webpages run under 'nobody' and unbound-control needs elevated rights to exec= ute a peek at the statistics. I'm using the following command to do so: =E2= =80=9Cunbound-control stats_noreset=E2=80=9D. That way I can query all the DN= S info I want (for reporting purposes), because I don't think unbound was com= piled with dnstap enabled. At least I haven't found anything to back that up,= that would eliminate the need for peeking at stats, because an up-to-date da= tabase can be built (async). I will further investigate dnstap in a later sta= ge. >>>=20 >>> Running that command fails as follows: >>>=20 >>> [root(a)ipfire ~]# sudo -u nobody unbound-control stats >>> error: Error setting up SSL_CTX client cert >>> /etc/unbound/unbound_control.pem: Permission denied >>>=20 >>> The certificate that unbound uses is only supposed to be read by root. >>=20 >> I figured as much, this only confirms the need to a specific binary to sol= ve the issue. >>=20 >>>> Can someone point me in the right direction for peeking unbound statisti= cs from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80=99d rather not= , for security reasons), separate bash scripts and qx/backticks, they all see= m to fail with exit code 256 which seems to be a permission problem. Running = anything from an SSH session obviously succeeds, because then I have all the = rights I need. >>>=20 >>> Depending how fit you are with C, you can build such a =E2=80=9Csetuid bi= nary=E2=80=9D yourself. There is plenty of inspiration here: >>>=20 >>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD >>>=20 >>> But since you have said that you are not a developer, this might be a lit= tle bit hard :) Let me know where I can help out. >>=20 >> I need to carefully read into this and see what it's all about and how I s= hould use it. To be continued =F0=9F=98=89 >>=20 >>> What are you building with all this? >>>=20 >>> Best, >>> -Michael >>=20 >> I've been looking at PiHole and Firewalla and I like how those dashboards = are pleasing to the eye and wanted to achieve the same within IPFire. I think= it's quite possible and IPFire hosts way more functionality, so why not the = fancy dashboard? With that in mind I looked for info on the themes in IPF, I = found that someone - a few years ago - already created an admin dashboard, bu= t I never received responses to my communication attempts. So I thought, what= the heck, I'll just create the dashboard myself, but in order to actually - = have a dashboard - I need metrics. PiHole has an FTL implementation which inc= ludes (parts of) Unbound and they're able to show quite a bit of interesting = information (see attachment, apologies for the size I had to google it). Fire= walla has the same, but is more tailored to SOHO and is managed through an ap= p. >>=20 >> TLDR; I want the dashboard to show metrics you can work with, like PiHole = does. The whole controlling DNS and traffic part is not yet part of the scope= . I already queried the network info (I used parts of other cgi's), DNS is th= e next step and then firewall stats (blocked/dropped, maybe per country etc.) >=20 > Yes, they are quite pretty to look at. I am not entirely sure why people ar= e so much in love with them because many dashboards out there (not talking ab= out anything specifically) do not transport much information. They just show = that the =E2=80=9Csystem is busy=E2=80=9D. I am not sure whether that is usef= ul information or not. >=20 > IPFire doesn=E2=80=99t have a very pretty stats section, but it does the jo= b. The main job is to show what has happened over time. That is in recent his= tory like =E2=80=9Clast week=E2=80=9D or =E2=80=9Cyesterday=E2=80=9D so that = problems with the system can be spotted very easily; and showing trends over = time so that people can see if bandwidth usage has =E2=80=9Cdoubled=E2=80=9D = over a year or so. That would be information I care about. >=20 > We have a thing called collecty which is supposed to achieve that in IPFire= 3. It collects various system statistics, but you can probably add unbound a= nd some other sources, too. It is written in Python which makes it easier to = extend - although it has a little C module to talk to hard drives. It potenti= ally could be ported to IPFire 2.=20 >=20 > Maybe it is worth having a look at that. IPFire 2 right now has loads of di= fferent scripts and tools that collect statistics. It would be nice to have t= his all in the same place and use it where ever we want to present this data. >=20 > Here is the code: >=20 > https://git.ipfire.org/?p=3Doddments/collecty.git;a=3Dsummary >=20 > This is an example graph in SVG: >=20 > https://people.ipfire.org/~ms/graph.svg >=20 > Right now, there is no mechanism to get the raw data, but that is trivial t= o add. We could store the last hour with a really high resolution to make JS = graphs looks nice, too. >=20 > -Michael >=20 >>=20 >> Cheers! >>=20 >> -----Oorspronkelijk bericht----- >> Van: Development Namens Bob Brewer >> Verzonden: zaterdag 19 januari 2019 11:44 >> Aan: development(a)lists.ipfire.org >> Onderwerp: Re: Peeking at unbound statistics from WUI >>=20 >> Michael Tremer wrote: >>=20 >>>> Can someone point me in the right direction for peeking unbound >>>> statistics from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80= =99d rather >>>> not, for security reasons), separate bash scripts and qx/backticks, >>>> they all seem to fail with exit code 256 which seems to be a permission = problem. >>>> Running anything from an SSH session obviously succeeds, because then >>>> I have all the rights I need. >>>=20 >>> Depending how fit you are with C, you can build such a =E2=80=9Csetuid bi= nary=E2=80=9D >>> yourself. There is plenty of inspiration here: >>>=20 >> I had the same problem when porting the IPCop Banish addon to IPFire becau= se the setuid binary program that was bundled with the original Banish addon = did not run on a lot of the hardware I was using for testing. >>=20 >> As a workaround I added my update command to /etc/sudoers as nobody ALL= =3DNOPASSWD: /your/command/here so it can be run from the cgi with sudo. >>=20 >> I suspect that this has security implications so use at your own risk. >>=20 >>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a >>> 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD >>>=20 >>> But since you have said that you are not a developer, this might be a >>> little bit hard :) Let me know where I can help out. >>>=20 >>=20 >> Thank you for the links Michael this should be the way I should go with Ba= nish. I'll see if get something compiled for my prog. >>=20 >> HTH >>=20 >> Rob >>=20 >> >=20 --===============4212124264299390986==--