Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Attack Surface Reduction - lighttpd as non-root
« previous
next »
Print
Pages: [
1
]
Author
Topic: Attack Surface Reduction - lighttpd as non-root (Read 281 times)
sol4r
Newbie
Posts: 2
Karma: 0
Attack Surface Reduction - lighttpd as non-root
«
on:
November 15, 2024, 12:13:10 am »
Hi
Due to all the vulnerabilities in $commercial_vendor_appliance lately I am thinking a lot about how we could reduce the attack surface in OpnSense.
One thing that bothers me is the Web Interface.. How can we reduce the harm if someone could exploit a vulnerability in it?
lightttpd runs as root currently so an attacker can do pretty much everything.
- write/modify files (backdooring php files for example)
- start new processes
- create network connections
I believe the harm would be greatly reduced if we would change lighttpd user to a different user that has very limited write permissions (not in webroot for example)
According to the documentation that should be doable:
https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_usernameDetails
Before I dig too deep into it:
- Did someone already do/try that?
- Is there a reason why lighttpd needs to run as root?
- yes it's not only about lighttpd but also php-cgi .. but let's just start with lighttpd
Logged
meyergru
Hero Member
Posts: 1678
Karma: 165
IT Aficionado
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #1 on:
November 15, 2024, 12:28:04 am »
That would not help much, because most of the operations that the web UI does, need higher privileges.
So, in order to do that, you would need to identify all the spots where this is neccessary and allow the lighhttp user to sudo the commands (which is tedious work) and even then, there is a bunch of operations that could be exploited just because they actually will be executed as root.
The logical approach is to only allow access to your web UI from trusted sources - i.e. interfaces, networks or specific IPs. If you want to access the web UI from outside, use a VPN.
«
Last Edit: November 15, 2024, 12:29:47 am by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
sol4r
Newbie
Posts: 2
Karma: 0
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #2 on:
November 15, 2024, 08:04:46 am »
Agreed. Thats a ton of work.
Reality is that according to shodan/censys around 30k systems worldwide have their webinterface exposed.
While some people deserve getting hacked I think that reducing the attack surface is a desirable goal for a 'network security solution' like opnsense. :-)
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1589
Karma: 176
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #3 on:
November 15, 2024, 08:10:26 am »
This is also an issue on FreeBSD
https://github.com/opnsense/core/issues/7419
Logged
Hardware:
DEC740
franco
Administrator
Hero Member
Posts: 17653
Karma: 1610
Re: Attack Surface Reduction - lighttpd as non-root
«
Reply #4 on:
November 15, 2024, 08:25:39 am »
It's a long term goal since the start. The new MVC code should be capable of dropping privileges, but the old static PHP code is not. Every static page needs to be removed first. I think after a decade we are about 70% complete...
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Attack Surface Reduction - lighttpd as non-root