DSM-G600, DNS-323 and TS-I300 Hack Forum

Thanks Fonz!

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

My goal in all of this was to make the server as secure as possible for a publicly accessible (via a NAT router) web site.

So now the server runs as a user without root privileges. The only other think I can think of doing is to run the server in a chroot jail. I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

Any other suggestions for hardening the server?

Many thanks!

srk wrote:

I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!

srk; Following your lead I've done the same except my user is set to access /mnt/USB/www.

Does anyone have any idea how the user ID (lighttpd) can be associated with more than one access point? I'm running lighttpd and ffp from a USB key. If ffp fails to load from the USB key then operation resorts back to the local disk. Given /mnt/USB/www will not be available there's a need to have the /mnt/HD_a2/www available.

srk wrote:

I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.

I'm having the same problem. srk; Were you able to resolve this?


Oh, one more question! What command can be used to ID the groups and associated users?

Bob Blackwell
Pickering, ON

Last edited by rcblackwell (2008-09-14 02:51:32)

fonz wrote:

Code:

adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd

Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.

I used this command to create the user 'lighttpd'.  Added to group lighttpd.  I made the changes in lighttpd.conf (changed server.user, server.group, server.chroot), changed the group ownership of /mnt/HD_a2/www to lighttpd and changed the group permissions to rwx.  Did a store-passwd.sh, then reboot and lighttpd won't startup.  I can't get it running for any user other than root.  Any suggestions?

EDIT: checking the lighttpd error log I see

(mod_fastcgi.c.904) bind failed for: unix:/tmp/php-cgi.socket-0 Permission denied

EDIT2: changed the permissions on /tmp, all is well now

EDIT3:  so after I rebooted the permissions made to /tmp were reset.  i ended up making a directory under /mnt/HD_a2/tmp and pointed the line  "socket"    =>  for fastcgi in lighttpd.conf there.  Is this setup still secure?

Last edited by leech1980 (2008-09-14 09:01:11)

Greets all. Just a quick question...

How do you add a group? Sounds moronic, I know....

root@dlink-******:/mnt/HD_a2/www/pages# addgroup lighttpd     
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: addgroup [OPTIONS] <group_name>

root@dlink-******:/mnt/HD_a2/www/pages#

I have firmware 1.05, funplug 0.5, telnet disabled and ssh enabled.

Thanks for any and all help. No man pages, no info pages, no --help and google isn't yielding too much...

Last edited by madpenguin (2008-12-27 21:05:34)

Thanks fonz. Atleast you didn't say RTFM afterwards... ;-)

root@dlink-******:~# man groupadd
Formatting page, please wait...
root@dlink-******:~# which addgroup
/bin/addgroup
root@dlink-******:~# ls -la /bin/addgroup 
lrwxrwxrwx    1 root     root            9 Apr 21  2008 /bin/addgroup -> tinylogin
root@dlink-******:~# man tinylogin
No manual entry for tinylogin
root@dlink-******:~# tinylogin --help
Tinylogin v1.4 (2007.11.01-11:37+0000) multi-call binary

Usage: tinylogin [function] [arguments]...
   or: [function] [arguments]...

        TinyLogin is a multi-call binary that combines several tiny Unix
        utilities for handling logins, user authentication, changing passwords,
        and otherwise maintaining users and groups on an embedded system.  Most
        people will create a link to TinyLogin for each function they wish to
        use, and TinyLogin will act like whatever it was invoked as.

Currently defined functions:
    addgroup, adduser, delgroup, deluser, getty, login, passwd, su,
    sulogin, tinylogin, vlock

That's a new one on me. Still would like to know the correct usage of "addgroup" tho and why it worked for the above posters..... Might as well use "useradd" while I'm at it.

Thanks for "tossing me a bone" at any rate. I'd also like to offer thanks for ffp. Makes the 323 all that much better. Much appreciated.

Last edited by madpenguin (2008-12-28 17:23:59)

alpha wrote:

Hi,

I think it will be problems to do a chroot jail, because you need PHP and it sits in /ffp/bin. I don't really know how to do this, but maybe someone of you knows ?

Maybe this page helps http://www.cyberciti.biz/tips/howto-set … -jail.html
I've not tried it and don't know if it will work on the nas.