Hi Bob and Michael,

 

Thanks for the responses. Since the below is missing information I will try to recap and answer:

 

>> On 17 Jan 2019, at 20:15, Rachid Groeneveld <rachidgroeneveld@hotmail.nl> wrote:

>>

>> Hi all,

>> 

>> I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.

> 

>That depends on what you need.

> 

>The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.

> 

>For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.

 

I think this is exactly the way it should work, I will read into those binaries and how to use 'em, thanks for the pointer. I don't have any desires to compromise security/safety in favor of reporting purposes.

 

>> I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.

> 

>Running that command fails as follows:

> 

>[root@ipfire ~]# sudo -u nobody unbound-control stats

>error: Error setting up SSL_CTX client cert

>/etc/unbound/unbound_control.pem: Permission denied

> 

>The certificate that unbound uses is only supposed to be read by root.

 

I figured as much, this only confirms the need to a specific binary to solve the issue.

 

>> Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

> 

>Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

> 

>  https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

> 

>But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

 

I need to carefully read into this and see what it's all about and how I should use it. To be continued 😉

 

>What are you building with all this?

> 

>Best,

>-Michael

 

I've been looking at PiHole and Firewalla and I like how those dashboards are pleasing to the eye and wanted to achieve the same within IPFire. I think it's quite possible and IPFire hosts way more functionality, so why not the fancy dashboard? With that in mind I looked for info on the themes in IPF, I found that someone - a few years ago - already created an admin dashboard, but I never received responses to my communication attempts. So I thought, what the heck, I'll just create the dashboard myself, but in order to actually - have a dashboard - I need metrics. PiHole has an FTL implementation which includes (parts of) Unbound and they're able to show quite a bit of interesting information (see attachment, apologies for the size I had to google it). Firewalla has the same, but is more tailored to SOHO and is managed through an app.

 

TLDR; I want the dashboard to show metrics you can work with, like PiHole does. The whole controlling DNS and traffic part is not yet part of the scope. I already queried the network info (I used parts of other cgi's), DNS is the next step and then firewall stats (blocked/dropped, maybe per country etc.)

 

Cheers!

 

-----Oorspronkelijk bericht-----
Van: Development <development-bounces@lists.ipfire.org> Namens Bob Brewer
Verzonden: zaterdag 19 januari 2019 11:44
Aan: development@lists.ipfire.org
Onderwerp: Re: Peeking at unbound statistics from WUI

 

Michael Tremer wrote:

 

>> Can someone point me in the right direction for peeking unbound

>> statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather

>> not, for security reasons), separate bash scripts and qx/backticks,

>> they all seem to fail with exit code 256 which seems to be a permission problem.

>> Running anything from an SSH session obviously succeeds, because then

>> I have all the rights I need.

>

> Depending how fit you are with C, you can build such a “setuid binary”

> yourself. There is plenty of inspiration here:

>

I had the same problem when porting the IPCop Banish addon to IPFire because the setuid binary program that was bundled with the original Banish addon did not run on a lot of the hardware I was using for testing.

 

As a workaround I added my update command to  /etc/sudoers as  nobody ALL=NOPASSWD: /your/command/here so it can be run from the cgi with sudo.

 

I suspect that this has security implications so use at your own risk.

 

> https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a

> 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

>

> But since you have said that you are not a developer, this might be a

> little bit hard :) Let me know where I can help out.

>

 

Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.

 

HTH

 

Rob