Re: Peeking at unbound statistics from WUI

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2722 bytes --]

Hallo Rachid,

Thanks for writing :)

> On 17 Jan 2019, at 20:15, Rachid Groeneveld <rachidgroeneveld(a)hotmail.nl> wrote:
> 
> Hi all,
>  
> I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.

That depends on what you need.

The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.

For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.

>  
> I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.

Running that command fails as follows:

[root(a)ipfire ~]# sudo -u nobody unbound-control stats
error: Error setting up SSL_CTX client cert
/etc/unbound/unbound_control.pem: Permission denied

The certificate that unbound uses is only supposed to be read by root.

>  
> Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

What are you building with all this?

Best,
-Michael

>  
> Thanks in advance.
>  
> Cheers,
> 
> Rachid