LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 06-04-2017, 09:17 AM   #1
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
moinmoin wiki with OpenBSD httpd(8)


What I'd like to do is add an instance of the moinmoin wiki in the least invasive way possible to a tiny system I have running OpenBSD snapshots. Looking at the boatload of dependencies, my guess is that there is no way to keep httpd(8) chrooted and still run the wiki.I'm happy with my current setup(s) running chrooted httpd(8) on OpenBSD's snapshots and would like to minimize changes.

I'd prefer not to have to redo everything else under nginx.

How feasible is it to try running moinmoin under httpd(8) if I turn of the chroot?
 
Old 06-04-2017, 11:13 AM   #2
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
You can't "turn off" the chroot in httpd(8). I've never attempted to run it with the chroot set to /, but I suppose one could attempt it.

While I don't know anything about moinmoin, if it uses FastCGI for webserver communication you should still be able to run the webserver without altering the default chroot, either by having a socket linked within the chroot, or using a loopback interface.
 
Old 06-05-2017, 09:28 AM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Original Poster
Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
Quote:
Originally Posted by jggimi View Post
While I don't know anything about moinmoin, if it uses FastCGI for webserver communication you should still be able to run the webserver without altering the default chroot, either by having a socket linked within the chroot, or using a loopback interface.
FastCGI seems to be the way to go after reading a bit. It's not as well documented for moinmoin, though. I have some catch-up to do, so this may take a while. I'll post back either once I get stuck or make some progress.
 
Old 06-05-2017, 12:41 PM   #4
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
Using FastCGI simplifies webserver deployment, because the webserver only manages presentation, the application can reside elsewhere. All of my web applications use it, but they're PHP rather than Python, so I may not be much help with provisioning requirements. Also, the majority use nginx due to a need for client certs.
 
Old 06-06-2017, 06:25 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Original Poster
Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
Yes it looks like FastCGI simplifies things. httpd(8) uses a socket within the chroot for that. I am pursuing that approach but I'm new to using sockets. Does the FastCGI-using script then just run as a daemon watching the designated socket via an API?

Along the way, the examples I run across for moinmoin all use TCP instead of sockets. I don't see a way for the process and the the web server to authenticate to each other. So, if I read things correctly, it looks like a compromised process could just search around for and take over all the internal FastCGI connections.
 
Old 06-06-2017, 06:45 AM   #6
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
A Unix-domain TCP socket is nothing more than a local (in system) TCP connection that uses a filesystem as the administrative communication tool between processes. It usually has lower overhead than using a loopback address.

I understand that httpd(8) can also listen for TCP connections via the network stack with ":<port number>" as the socket path, such as:
Code:
fastcgi socket ":9991"
 
Old 06-06-2017, 07:10 AM   #7
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
I'd seen that ":<port number>" configuration on the web, though it is not currently documented in the httpd.conf(5) man page. However, the port number is parsed and the socket(2) type switched from AF_UNIX to AF_INET in src/usr.sbin/httpd/server_fcgi.c.
 
Old 06-06-2017, 09:44 AM   #8
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Original Poster
Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
Ok. I think I see now how FastCGI works. Or at least I see one way. If I have it set in httpd.conf(5)

Code:
server "default" {
        listen on $ext_addr port 80

        location "/cgi-bin/foo.pl" {
                fastcgi socket "/run/sockets/foo.sock"
        }

}
The the script foo.pl doesn't actually have to exist in the cgi-bin directory. It does have to be running and listening to the socket created, however:

Code:
#!/usr/bin/perl -T  

use strict;         
use warnings;       
use English qw( -no_match_vars );       

use FCGI;           

my $privilege_separated_user = qq(www); 
my $sock = qq(/var/www/run/sockets/foo.sock);                                   

my $counter = 0;    

my ( undef, undef, $privilege_separated_uid, $privilege_separated_gid )         
        = getpwnam( $privilege_separated_user )                                 
        or die ( "$privilege_separated_user not in passwd file\n" );            

my $socket  = FCGI::OpenSocket($sock, 5);                                       

chown( $privilege_separated_uid, $privilege_separated_gid, $sock )              
        or die("Could not chown '$sock' : $!\n");                               

my $request = FCGI::Request(\*STDIN, \*STDOUT, \*STDERR, \%ENV, $socket);       

$EGID = "$privilege_separated_gid $privilege_separated_gid";                    
$EUID = $privilege_separated_uid;       

while($request->Accept() >= 0) {        
        print qq(Content-type: text/plain\n\n);                                 
        print qq(Hello, world\n);       
        $counter++; 
        print qq(Counter = $counter\n); 
        print qq(U=$EUID; G=$EGID\n);                                           
}                   

exit ( 0 );
The above must be launched as root, it's a sloppy demo.

Regular POSIX permissions apply to the directory and socket. The web server process must be able to read and write the socket, obviously.

Code:
doas ./foo.pl
Also, it does not clean up and remove the socket after exiting.
 
Old 06-06-2017, 09:59 AM   #9
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
If memory serves, the location provisions the use of the socket with matching URIs. So for my PHP applications, all I need is location "*.php" to direct these through the FastCGI socket. And for PHP, the php-fpm package also runs chrooted by default.

---

(Should you discover you need to "disable" the httpd chroot, /etc/examples/httpd.conf shows an example of the chroot set to "/". So my guess above should work if needed.)
 
Old 06-07-2017, 12:37 AM   #10
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Original Poster
Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
Quote:
Originally Posted by jggimi View Post
So for my PHP applications, all I need is location "*.php" to direct these through the FastCGI socket.
How are the PHP scripts launched in your case?

And if the scripts are all working via a single socket, how do they work out which one the data is for?
 
Old 06-07-2017, 06:58 AM   #11
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 103

Rep: Reputation: 37
The PHP scripts are launched through php-fpm, the FastCGI Process Manager ("fpm") for PHP.

[Browser with a .php URI] -> [webserver] -> [php-fpm] - > [PHP application]
 
Old 07-15-2017, 05:47 AM   #12
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,619
Blog Entries: 3

Original Poster
Rep: Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155Reputation: 1155
Ok, after figuring this out (kind of), having time to forget, and then re-figuring it out, I'm going to call it done. Moinmoin is rather undocummented if one actually examines what's out there. One has to read a lot of python code to make any headway. But as far as the OpenBSD-specific parts, I think the following three items do it:

From /etc/httpd.conf, it is necessary to specify which socket FastCGI should use for that wiki:

Code:
        location match "/wiki*" {
                ...
                fastcgi socket "/run/sockets/moinmoin.sock"
                ...
        }
That socket is obviously inside httpd's chroot.

Then in the dozens of changes to the wiki source code, one has to specify the same socket to use in moin.fcgi:

Code:
...
# WSGIServer(application).run()
WSGIServer(application,bindAddress="/var/www/run/sockets/moinmoin.sock").run()
...
Of course it has to be in a directory where the account Moinmoin is using can write. Then once that socket is created, it has to be readable and writable by the HTTP daemon. That can be done after the fact by chgrp and chmod

Code:
chgrp www  /var/www/run/sockets/moinmoin.sock ;
chmod g+rw /var/www/run/sockets/moinmoin.sock ;
But it would be better for me to find a way to do it from within the python script at the moment of creation.

Last edited by Turbocapitalist; 07-15-2017 at 05:50 AM. Reason: typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD httpd bottle app and uwsgi alanware *BSD 2 04-21-2017 02:06 PM
how do you install moinmoin wiki engine from source baronobeefdip Linux - Server 5 02-20-2012 08:08 PM
theme in moinmoin wiki engine not working baronobeefdip Linux - Networking 0 12-21-2011 02:09 AM
Use MoinMoin Wiki and meet error songxuanss Ubuntu 0 09-30-2007 04:34 AM
Installing MoinMoin Wiki endfx Linux - Software 1 01-16-2007 11:07 PM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 08:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration