Smalltalk Squeak Squeak - Dev

[squeak-dev] smalltalk and Web stuff

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
25 messages Options
12
Janko Mivšek
Reply | Threaded
Open this post in threaded view
|

Re: [squeak-dev] smalltalk and Web stuff

Janko Mivšek
Hi Richie,

I tried your code and it works nicely, thanks a lot! All I need now is
to prepare an automatic procedure for Swazoo to start its HTTP servers
on ports below 1024 then immediately drop the root privilege.

Only unsolved question remains how to add a server on a new IP or port,
without restarting the whole image as root? I need to temporary login
the image as root then logout. Can I do that through libc too?

Janko


Janko Mivšek wrote:

> Gerardo Richarte wrote:
>
>>     Another, probably more integrated idea, whould be to drop privs from
>> squeak after binding to port 80... and probably chrooting to another
>> place. How? Here I'm attached a quick (5 minutes) interface to libc
>> that'll let you do it. I tested it on Linux, and had to play tricks with
>> libc.so so squeak finds it (I symlinked libs.so.6 (actually libc-2.7.so)
>> to /usr/lib/squeak/3.9-8/libc.so [sudo ln -s /lib/libc-2.7.so
>> /usr/lib/squeak/3.9-8/libc.so]).
>>
>>     Then, after importing the attached class, you can start playing with
>> things like:
>>
>> libc := Libc new.
>> libc chroot: '/tmp' " disable changes file logging before doing it "
>> libc setruid: 1000 euid: 1000 suid: 1000.
>> self setrgid: 1000 egid: 1000 sgid: 1000.
>>
>> with that, you are clear on this front. Again, I don't think this is the
>> solution,
>> the 'evaluate:' example Klaus sent earlier is for me the most clear
>> danger,
>> more than binary bugs in external libraries (although those are also
>> problems)
>
> This is a solution I just contemplated during past hours and it is used
> by Apache as well, AFAIK. Very elegant one and from your code seems
> simple enough. Let me try by myself ..
>
> Janko
>
>

--
Janko Mivšek
AIDA/Web
Smalltalk Web Application Server
http://www.aidaweb.si
Gerardo Richarte
Reply | Threaded
Open this post in threaded view
|

Re: [squeak-dev] smalltalk and Web stuff

Gerardo Richarte
In reply to this post by Igor Stasenko
Igor Stasenko wrote:
> Isn't there simple utils in unixes, which can simply redirect one port
> to another?
>  
    Yes, that's an option that I thought of too, in fact, iptables will
do the trick on Linux. However, you have to be careful here,
because if the weapp thinks it's base URL is http://something:8000/
and it's public address is actually http://something/ there may be
some desintelligences. Not that it can't be solved.
> In particular, i don't see how apache is more secure than squeam vm.
> Security more depends on what you running as front end (framework in
> smalltalk , module in apache) not the basement.
>  
well... it just is :) years of auditing, security in the mind of most
developers in the team, dozens of bugs found and fixed, weak
points in squeak (I'm not really talking of the VM, I'm putting
the emphasis first in vulnerable Smalltalk code, and only then
in native code (vm, plugins, external libraries, etc).

    richie

Gerardo Richarte
Reply | Threaded
Open this post in threaded view
|

Re: [squeak-dev] smalltalk and Web stuff

Gerardo Richarte
In reply to this post by Janko Mivšek
Janko Mivšek wrote:
> Only unsolved question remains how to add a server on a new IP or
> port, without restarting the whole image as root? I need to temporary
> login the image as root then logout. Can I do that through libc too?
well... if after you dropped privs it was possible to regain them for you,
it would be possible to regain them for an attacker with code executiong :)
so, if we are doing things right, no, there's no way to become root after
you dropped privs.

Now, if you are careful with your base URL, another option is, as Igor
suggested, to use, for example, iptables to redirect port 80 to a higher
port, and make squeak listen on a high port. For this you'll need an
external helper program (setuid root), that lets you change in runtime
the firewall rules from squeak.

Another option is to use a different external helper program, running
as root, that will open the sockets for your non-root process, and then
pass them around to the other process. In most OSes there's a way
to pass FDs from one process to the other, as far as I remember, in
Unix that's through a unix socket.

If you are interested in any of this two options, let me know, I'll try to
find out the right magic.

    richie

David Zmick
Reply | Threaded
Open this post in threaded view
|

Re: [squeak-dev] smalltalk and Web stuff

David Zmick
I have run squeak behind apache using a redirect in a .htaccess file, and it has worked very well.  I am not sure how secure that is, ut it was easy, and it worked :)
David Zmick
/dz0004455\
http://dz0004455.googlepages.com
http://dz0004455.blogspot.com


On Sun, Nov 23, 2008 at 5:51 PM, Gerardo Richarte <[hidden email]> wrote:


   richie
FDominicus
Reply | Threaded
Open this post in threaded view
|

Re: [squeak-dev] Re: smalltalk and Web stuff

FDominicus
In reply to this post by Andreas.Raab
Andreas Raab <[hidden email]> writes:

> Philippe Marschall wrote:
>>> AIDA/Web apps/websites are running as pure Smalltalk web presence, from
>>> dynamic to static content, movies included. No Apache needed, Swazoo as
>>> integral part of Aida is there to serve directly to the web.
>> How do you bind port 80?
>
> You can use iptables to redirect the incoming port to one > 1024:
>
> iptables -A PREROUTING -d 12.34.56.78 -p tcp --dport  80 -j DNAT
> --to-destination 12.34.56.78:8888

I'm really happy  that my question has such an  interesting run. Thank
to all for that. I was very reluctant to just run  something as
root. I've not done it in the past and I won't surly not have a
WebServer run as root. It's like a door besides you've hanged the
keys.....

Regards
Friedrich

12
Free forum by Nabble Edit this page