Hi Bob and Michael,
Thanks for the responses. Since the below is missing information I will try to recap and answer:
On 17 Jan 2019, at 20:15, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:
Hi all,
I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.
That depends on what you need.
The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.
For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.
I think this is exactly the way it should work, I will read into those binaries and how to use 'em, thanks for the pointer. I don't have any desires to compromise security/safety in favor of reporting purposes.
I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.
Running that command fails as follows:
[root@ipfire ~]# sudo -u nobody unbound-control stats
error: Error setting up SSL_CTX client cert
/etc/unbound/unbound_control.pem: Permission denied
The certificate that unbound uses is only supposed to be read by root.
I figured as much, this only confirms the need to a specific binary to solve the issue.
Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.
Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:
https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9c...
But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.
I need to carefully read into this and see what it's all about and how I should use it. To be continued 😉
What are you building with all this?
Best,
-Michael
I've been looking at PiHole and Firewalla and I like how those dashboards are pleasing to the eye and wanted to achieve the same within IPFire. I think it's quite possible and IPFire hosts way more functionality, so why not the fancy dashboard? With that in mind I looked for info on the themes in IPF, I found that someone - a few years ago - already created an admin dashboard, but I never received responses to my communication attempts. So I thought, what the heck, I'll just create the dashboard myself, but in order to actually - have a dashboard - I need metrics. PiHole has an FTL implementation which includes (parts of) Unbound and they're able to show quite a bit of interesting information (see attachment, apologies for the size I had to google it). Firewalla has the same, but is more tailored to SOHO and is managed through an app.
TLDR; I want the dashboard to show metrics you can work with, like PiHole does. The whole controlling DNS and traffic part is not yet part of the scope. I already queried the network info (I used parts of other cgi's), DNS is the next step and then firewall stats (blocked/dropped, maybe per country etc.)
Cheers!
-----Oorspronkelijk bericht----- Van: Development development-bounces@lists.ipfire.org Namens Bob Brewer Verzonden: zaterdag 19 januari 2019 11:44 Aan: development@lists.ipfire.org Onderwerp: Re: Peeking at unbound statistics from WUI
Michael Tremer wrote:
Can someone point me in the right direction for peeking unbound
statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather
not, for security reasons), separate bash scripts and qx/backticks,
they all seem to fail with exit code 256 which seems to be a permission problem.
Running anything from an SSH session obviously succeeds, because then
I have all the rights I need.
Depending how fit you are with C, you can build such a “setuid binary”
yourself. There is plenty of inspiration here:
I had the same problem when porting the IPCop Banish addon to IPFire because the setuid binary program that was bundled with the original Banish addon did not run on a lot of the hardware I was using for testing.
As a workaround I added my update command to /etc/sudoers as nobody ALL=NOPASSWD: /your/command/here so it can be run from the cgi with sudo.
I suspect that this has security implications so use at your own risk.
https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a
3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD
But since you have said that you are not a developer, this might be a
little bit hard :) Let me know where I can help out.
Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.
HTH
Rob
