DSM-G600, DNS-323 and TS-I300 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2007-07-25 15:11:12
- srk
- New member
- Registered: 2007-05-13
- Posts: 4
Request for secure setup info for lighttpd
Hello,
Currently running Fonz's excellent fun_plug v0.3.
lighttpd can be run be run both in a chroot jail and as a non-root user. Could someone supply me with a step-by-step procedure for, for example, setting lighttpd to run as a user 'lighttpd', chrooted to /mnt/HD_a2/www
Presumably this is not the most secure configuration if the lighttpd log files are going in /mnt/HD_a2/www/logs - can anyone suggest a viable alternative?
Assuming telnet access is available, the procedure should be something like:
1. Create 'lighttpd' group and user
2. Set chroot directory and server group and user in lighttpd.conf
3. Start (or restart) lighttpd server
I'm stuck on step 1. I have created the 'lighttpd' group using 'addgroup lighttpd', but am a little confused about how to create the 'lighttpd' user, specifically how to set the shell. According to other lighttpd tutorials I have read on the web, the shell should be /sbin/nologin (since the lighttpd user only exists to run the server and shouldn't have login privileges).
Can anyone give me an example of an 'adduser' command (or equivalent) to create a 'lighttpd' user with a secure configuration.
Perhaps this procedure could be added to the lighttpd info page on the www.dns323.info site?
Many thanks in advance!
Offline
#2 2007-07-25 15:25:47
Re: Request for secure setup info for lighttpd
Code:
adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpd
Not sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.
Offline
#3 2007-07-25 19:23:10
- srk
- New member
- Registered: 2007-05-13
- Posts: 4
Re: Request for secure setup info for lighttpd
Thanks Fonz!
I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!
My goal in all of this was to make the server as secure as possible for a publicly accessible (via a NAT router) web site.
So now the server runs as a user without root privileges. The only other think I can think of doing is to run the server in a chroot jail. I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.
Any other suggestions for hardening the server?
Many thanks!
Offline
#5 2008-06-30 23:38:55
- rcblackwell
- Member
- From: Pickering, ON
- Registered: 2008-05-19
- Posts: 124
- Website
Re: Request for secure setup info for lighttpd
srk wrote:
I used the command you suggested (with an extra -G lighttpd to add the user to the already existing lighttpd group), changed the permissions on /mnt/HD_a2/www, deleted the old access and error logs, changed the server.user and server.group in the lighttpd.conf to 'lighttpd', and restarted. And it works!
srk; Following your lead I've done the same except my user is set to access /mnt/USB/www.
Does anyone have any idea how the user ID (lighttpd) can be associated with more than one access point? I'm running lighttpd and ffp from a USB key. If ffp fails to load from the USB key then operation resorts back to the local disk. Given /mnt/USB/www will not be available there's a need to have the /mnt/HD_a2/www available.
srk wrote:
I have tried setting the chroot directory in the lighttpd configuration file to /mnt/HD_a2/www, but the server fails to start.
I'm having the same problem. srk; Were you able to resolve this?
Oh, one more question! What command can be used to ID the groups and associated users?
Bob Blackwell
Pickering, ON
Last edited by rcblackwell (2008-09-14 02:51:32)
Bob Blackwell
Pickering, ON
Offline
#6 2008-07-01 19:27:19
- kikkeraap
- Member
- Registered: 2008-03-19
- Posts: 17
Re: Request for secure setup info for lighttpd
fonz wrote:
Code:
adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpdNot sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.
This did the trick, but now I'm facing problems with PHP, as it won't run
Offline
#7 2008-09-14 01:19:05
- leech1980
- Member
- Registered: 2008-09-12
- Posts: 11
Re: Request for secure setup info for lighttpd
fonz wrote:
Code:
adduser -h /mnt/HD_a2/www -s /bin/false -H lighttpdNot sure about the password. If you want to create the user without a password, add "-D" option after "-H". /bin/false should be as good as /sbin/nologin.
I used this command to create the user 'lighttpd'. Added to group lighttpd. I made the changes in lighttpd.conf (changed server.user, server.group, server.chroot), changed the group ownership of /mnt/HD_a2/www to lighttpd and changed the group permissions to rwx. Did a store-passwd.sh, then reboot and lighttpd won't startup. I can't get it running for any user other than root. Any suggestions?
EDIT: checking the lighttpd error log I see
(mod_fastcgi.c.904) bind failed for: unix:/tmp/php-cgi.socket-0 Permission denied
EDIT2: changed the permissions on /tmp, all is well now
EDIT3: so after I rebooted the permissions made to /tmp were reset. i ended up making a directory under /mnt/HD_a2/tmp and pointed the line "socket" => for fastcgi in lighttpd.conf there. Is this setup still secure?
Last edited by leech1980 (2008-09-14 09:01:11)
Offline