How does pfsense's web interface run root scripts
-
Hi. I am starting work on a project where I'd want to change the IP address of a network card using a django web interface. At first I thought that was something simple to do: I'd call a script with setuid root. Unfortunately I learned that this is a security risk and most unix kernels wont allow execution of interpreted language scripts as root by using setuid 4 (and allow the program to be executed by normal users as root).
So how does pfsense does it?
For instance, this script in the pfsense source code seems to need super user permissions: https://github.com/bsdperimeter/pfsense/blob/master/sbin/dhclient-script
Any clues? Thanks.
-
Our scripts all run under the root user. Not really ideal for some things, but ultimately unavoidable for the things we need to do.
-
Interesting. But the webinterface which is PHP itself doesn't run as root or does it? How do you run a root script after a user submits a form?
I am trying to look at the source code but I am not finding the relevant parts. Perhaps you can point me in the right direction.
-
The web server runs as root, and so do all the pages (PHP, etc).
-
Ok I see. I thought that would too vulnerable in case there was some vulnerability in the webinterface itself, allowing for privilege escalation. Do you guys use chroot or freebsd's JAILS as a security measure instead?
-
No, it's just the nature of how it has to be in order for it to properly function and do what needs to be done. In part it's that way because we inherited that from m0n0wall, but there's really not a viable way to separate those function and maintain all of required abilities.
-
Interesting. But the webinterface which is PHP itself doesn't run as root or does it? How do you run a root script after a user submits a form?
Apart from dnsmasq and dhclient, most processes on pfSense run as roon, including lighthttpd, php, openvpn etc.
As far as I can tell, to minimize exposure to potential security vulnerabilities in the webGUI, one would have to disallow access to the webGUI from all interfaces except a specific "secure" interface.
-
What about using sudo?
People on the python channel are saying I should not consider running the webserver and django as root. They were surprised to learn pfsense does that.
-
Ideally, no you don't want to do that. But by the nature of what we do, there is no effective security difference. The front end must have rights to change the config file at a minimum, and anything that has the rights to do that can execute things as root. You could use sudo if you want, but it's basically pointless, if the user running the web server can run sudo it's effectively no different than running it as root. We're considering options going forward to completely separate the front end and back end, which would eliminate that root requirement. But in 10+ years m0n0wall has existed and the 8+ years we've existed, there have been exactly 0 security vulnerabilities caused or worsened by that fact.
-
@cmb:
You could use sudo if you want, but it's basically pointless, if the user running the web server can run sudo it's effectively no different than running it as root.
Well I am no unix guru, but it seems to me that adding sudo access to a restricted subset of commands would be very different than allowing unrestricted access to all root commands.
I mean, you could have /etc/sudoers entry allowing the www user access to scripts that edit the /etc/interfaces, etc:
i.e. www ALL=(root) NOPASSWD: /path/to/alter_interfaces.shOr something like that. I am not very fluent in sudo yet.
-
You can do that, but we run so many things from the web server that it would be functionally no different to allow everything.