Forum

Run cgi as root

Marius Dinu
19 September 2015, 22:52
Hi.
I have another problem running Hiawatha on my router:
I don't know how to write a configuration for the router's administrator pages and scripts. These scripts need to run as root and there is no other way to do it. They need access to everything, including backup/restore of the entire filesystem.
As I understand, hiawatha runs as "nobody" and cgi-wrapper does not permit running cgi as root. So, how do I run router's admin pages?
Thank you.
Marius Dinu
19 September 2015, 22:58
... and hiawatha can't be run as root either.
Marius Dinu
19 September 2015, 23:44
I made it work by enabling "set user id on execution" on /usr/bin/lua and /usr/bin/luci-bwc
I hope this doesn't compromise security too much... I see no other way to do it.
Hugo Leisink
21 September 2015, 19:33
CGI scripts that need to run as root... I think you seriously need to think about whether you want/trust this. At least use extra measures to secure the webinterface, such as restrict access based on the IP address (AccessList) or use extra authentication (PasswordFile).
Marius Dinu
22 September 2015, 11:26
Well... the problem is that any user who successfully uploads a file into a "execute cgi" directory on the server will gain root access on my router. Didn't like that because I will also have a website on this router, with uploads.

So I wrote a simple cgi wrapper myself, one that does a sudo command without password to run the router's configuration interface. Only the configuration interface script is allowed in sudoers file. Also, access to wrapper script and configuration interface is on a different binding, LAN only, encrypted and password protected.
I hope this configuration is at least as secure as the original uhttpd.

Any chance to allow your wrapper to run as root?
Hugo Leisink
22 September 2015, 11:35
For that, edit src/cgi-wrapper.c, comment line 84 and change line 216 to
if (parse_userid(item, &(wrap_data->uid)) == -1) {

This is at your own risk!
Marius Dinu
22 September 2015, 12:43
Thank you, thank you, thank you!
Marius Dinu
23 September 2015, 09:05
No, doesn't work. There is a group id check too.
Hugo Leisink
23 September 2015, 12:45
Ok, well, I didn't had the time to test it. Hopefully these changes to src/cgi-wrapper.c solves the issue:

Line 224:
if (parse_groups(rest, &(wrap_data->gid), &(wrap_data->groups)) == -1) {

Line 229:
if (lookup_group_ids(wrap_data->uid, &(wrap_data->gid), &(wrap_data->groups)) == -1) {
Marius Dinu
23 September 2015, 19:57
setuid(0) error

It appears to be very hard to make it less secure.
Let it be secure. I can keep my own simple wrapper. It's good enough for a router and a personal web page.
Thanks.
This topic has been closed.