From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Peeking at unbound statistics from WUI Date: Fri, 18 Jan 2019 15:03:56 +0000 Message-ID: In-Reply-To: =?utf-8?q?=3CAM0PR03MB49325B24A5E13B8EB2369611B6830=40AM0PR03MB?= =?utf-8?q?4932=2Eeurprd03=2Eprod=2Eoutlook=2Ecom=3E?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2518051488847790388==" List-Id: --===============2518051488847790388== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hallo Rachid, Thanks for writing :) > On 17 Jan 2019, at 20:15, Rachid Groeneveld = wrote: >=20 > Hi all, > =20 > I'm fairly new to perl and cgi scripts, I can find most of it on the web, b= ut I've been unable to solve this riddle. Is it possible to query the unbound= statistics from a cgi script? I can't seem to figure out how to do this with= out cron-ing a bash script and reading its output, I want them on-demand when= a page is requested. That depends on what you need. The CGI scripts can in theory run any shell command. Those commands will be e= xecuted as an unprivileged user called =E2=80=9Cnobody=E2=80=9D so that nobod= y else who gains access through a vulnerability in the web UI can change the = system configuration for which root permissions would be required. For some special actions - for example reboot - we have special binaries that= can then gain root privileges and perform very specific actions only. > =20 > I think it's a permission issue, as far as I've been able to assess the web= pages run under 'nobody' and unbound-control needs elevated rights to execute= a peek at the statistics. I'm using the following command to do so: =E2=80= =9Cunbound-control stats_noreset=E2=80=9D. That way I can query all the DNS i= nfo I want (for reporting purposes), because I don't think unbound was compil= ed with dnstap enabled. At least I haven't found anything to back that up, th= at would eliminate the need for peeking at stats, because an up-to-date datab= ase can be built (async). I will further investigate dnstap in a later stage. Running that command fails as follows: [root(a)ipfire ~]# sudo -u nobody unbound-control stats error: Error setting up SSL_CTX client cert /etc/unbound/unbound_control.pem: Permission denied The certificate that unbound uses is only supposed to be read by root. > =20 > Can someone point me in the right direction for peeking unbound statistics = from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80=99d rather not, f= or security reasons), separate bash scripts and qx/backticks, they all seem t= o fail with exit code 256 which seems to be a permission problem. Running any= thing from an SSH session obviously succeeds, because then I have all the rig= hts I need. Depending how fit you are with C, you can build such a =E2=80=9Csetuid binary= =E2=80=9D yourself. There is plenty of inspiration here: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h=3D= a1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD But since you have said that you are not a developer, this might be a little = bit hard :) Let me know where I can help out. What are you building with all this? Best, -Michael > =20 > Thanks in advance. > =20 > Cheers, >=20 > Rachid --===============2518051488847790388==--