Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Attack Surface Reduction - lighttpd as non-root
« previous
next »
Print
Pages: [
1
]
Author
Topic: Attack Surface Reduction - lighttpd as non-root (Read 504 times)
sol4r
Newbie
Posts: 2
Karma: 0
Attack Surface Reduction - lighttpd as non-root
«
on:
November 15, 2024, 12:13:10 am »
Hi
Due to all the vulnerabilities in $commercial_vendor_appliance lately I am thinking a lot about how we could reduce the attack surface in OpnSense.
One thing that bothers me is the Web Interface.. How can we reduce the harm if someone could exploit a vulnerability in it?
lightttpd runs as root currently so an attacker can do pretty much everything.
- write/modify files (backdooring php files for example)
- start new processes
- create network connections
I believe the harm would be greatly reduced if we would change lighttpd user to a different user that has very limited write permissions (not in webroot for example)
According to the documentation that should be doable:
https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_usernameDetails
Before I dig too deep into it:
- Did someone already do/try that?
- Is there a reason why lighttpd needs to run as root?
- yes it's not only about lighttpd but also php-cgi .. but let's just start with lighttpd
Logged
meyergru
Hero Member
Posts: 1755
Karma: 171
IT Aficionado
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #1 on:
November 15, 2024, 12:28:04 am »
That would not help much, because most of the operations that the web UI does, need higher privileges.
So, in order to do that, you would need to identify all the spots where this is neccessary and allow the lighhttp user to sudo the commands (which is tedious work) and even then, there is a bunch of operations that could be exploited just because they actually will be executed as root.
The logical approach is to only allow access to your web UI from trusted sources - i.e. interfaces, networks or specific IPs. If you want to access the web UI from outside, use a VPN.
«
Last Edit: November 15, 2024, 12:29:47 am by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
sol4r
Newbie
Posts: 2
Karma: 0
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #2 on:
November 15, 2024, 08:04:46 am »
Agreed. Thats a ton of work.
Reality is that according to shodan/censys around 30k systems worldwide have their webinterface exposed.
While some people deserve getting hacked I think that reducing the attack surface is a desirable goal for a 'network security solution' like opnsense. :-)
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1659
Karma: 178
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #3 on:
November 15, 2024, 08:10:26 am »
This is also an issue on FreeBSD
https://github.com/opnsense/core/issues/7419
Logged
Hardware:
DEC740
franco
Administrator
Hero Member
Posts: 17706
Karma: 1618
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #4 on:
November 15, 2024, 08:25:39 am »
It's a long term goal since the start. The new MVC code should be capable of dropping privileges, but the old static PHP code is not. Every static page needs to be removed first. I think after a decade we are about 70% complete...
Cheers,
Franco
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #5 on:
December 01, 2024, 11:53:32 am »
Yes, lighttpd can run as non-root.
For binding to privileged ports, lighttpd can be run from inetd/xinetd, or lighttpd can accept systemd socket activation (or something else privileged setting the simple environment variables and providing the listening ports on already-open file descriptors when starting lighttpd). Another option is a small daemon I wrote over a decade ago:
https://github.com/gstrauss/bsock
which can run on just about any unix-like system which supports passing file descriptors over unix domain sockets.
PHP scripts are potentially more vulnerable than lighttpd, and the PHP would still need to be able to run privileged commands. As an interim step, you could have lighttpd start up the PHP fastcgi server as root via a setuid script, but it would be better to have the PHP run as non-root, too, and be permitted to run specific commands with privileges by another set of scripts which checks the arguments before running the commands as root.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1659
Karma: 178
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #6 on:
December 01, 2024, 12:17:36 pm »
Using this would leverage existing subsystems of FreeBSD that allow binding to privileged ports with unprivileged users:
https://github.com/Freaky/portacl-rc
But I'm sure there is a different reason for it running as root.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Attack Surface Reduction - lighttpd as non-root