mischief/openbsd-src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 07:27:59 -08:00
Code
master
openbsd-src/usr.bin/bgplg/bgplg.8
reyk 52e4528b62 Some of the executables that are used by bgplg need the set-user-ID 
bit, so they should be mounted on a filesystem without the nosuid
option.  OpenBSD's /var/www is mounted nosuid by default and using
bgplg with the statically-linked "ping" doesn't work with nosuid.

Reported by Michael W. Lucas (mwlucas at michaelwlucas.com)

OK jmc@ jca@
2016-12-14 14:38:42 +00:00

220 lines
5.2 KiB
Groff
Raw Permalink Blame History

.\" $OpenBSD: bgplg.8,v 1.16 2016/12/14 14:38:42 reyk Exp $
.\"
.\" Copyright (c) 2005, 2006, 2013 Reyk Floeter <reyk@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: December 14 2016 $
.Dt BGPLG 8
.Os
.Sh NAME
.Nm bgplg
.Nd looking glass for the OpenBSD Border Gateway Protocol daemon
.Sh SYNOPSIS
.Nm bgplg
.Sh DESCRIPTION
The
.Nm
CGI program is a looking glass for the
.Xr bgpd 8
Border Gateway Protocol daemon.
The looking glass will provide a simple web interface with read-only
access to a restricted set of
.Xr bgpd 8
and system status information, which is typically used on route
servers by Internet Service Providers (ISPs) and Internet eXchange
points (IXs).
It is intended to be used in a
.Xr chroot 2
environment in
.Pa /var/www .
.Pp
.Nm
is disabled by default.
It requires four steps to enable the looking glass:
.Bl -enum
.It
Update the file permission mode to allow the execution of the
.Nm
CGI program and the additional statically linked programs that have
been installed into the
.Xr chroot 2
environment.
.Pp
For example,
to allow execution of
.Nm
and the statically-linked version of
.Xr bgpctl 8 :
.Bd -literal -offset indent
# chmod 0555 /var/www/cgi-bin/bgplg
# chmod 0555 /var/www/bin/bgpctl
.Ed
.Pp
External commands like
.Xr ping 8
and others will be hidden from the looking glass command
list unless given the correct permissions.
See the
.Sx FILES
section below for the list of installed programs.
.It
The programs
.Xr ping 8 ,
.Xr ping6 8 ,
.Xr traceroute 8
and
.Xr traceroute6 8
will require a copy of the resolver configuration file
.Xr resolv.conf 5
in the
.Xr chroot 2
environment for optional host name lookups.
.Bd -literal -offset indent
# mkdir /var/www/etc
# cp /etc/resolv.conf /var/www/etc
.Ed
.It
Start the Border Gateway Protocol daemon with a second,
restricted, control socket that can be used
from within the
.Xr chroot 2
environment.
See
.Xr bgpd.conf 5
for more information.
.Pp
For example,
add the following to
.Pa /etc/bgpd.conf
to have
.Xr bgpd 8
open a second, restricted, control socket:
.Pp
.Dl socket \&"/var/www/run/bgpd.rsock\&" restricted
.It
Start the
.Xr httpd 8
and
.Xr slowcgi 8
servers after configuring the related
.Ic server
section in
.Xr httpd.conf 5 .
For example:
.Bd -literal -offset indent
ext_addr="0.0.0.0"
server "lg.example.net" {
listen on $ext_addr port 80
location "/cgi-bin/*" {
fastcgi
root ""
}
}
.Ed
.El
.Sh FILES
.Bl -tag -width "/var/www/conf/bgplg.headXX" -compact
.It Pa /var/www/conf/bgplg.css
Optional
.Nm
CSS style sheet.
.It Pa /var/www/conf/bgplg.head
Optional
.Nm
HTML header.
.It Pa /var/www/conf/bgplg.foot
Optional
.Nm
HTML footer.
.It Pa /var/www/run/bgpd.rsock
Position of the second, restricted, control socket of
.Xr bgpd 8 .
.El
.Pp
The following statically linked executables have been installed into
the
.Xr chroot 2
environment of the
.Xr httpd 8
server.
To enable the corresponding functionality, use the
.Xr chmod 1
utility to manually set the file permission mode to 0555 or anything
appropriate.
Some of these executables need the set-user-ID bit,
so they should be mounted on a filesystem
without the
.Ic nosuid
option.
.Pp
.Bl -tag -width "/var/www/bin/traceroute6XX" -compact
.It Pa /var/www/cgi-bin/bgplg
The
.Nm
CGI executable.
.It Pa /var/www/bin/bgpctl
The
.Xr bgpctl 8
program used to query information from
.Xr bgpd 8
.It Pa /var/www/bin/ping
The
.Xr ping 8
program used to send ICMP ECHO_REQUEST packets to network hosts.
Requires the set-user-ID bit, set the permission mode to 4555.
.It Pa /var/www/bin/ping6
The
.Xr ping6 8
program used to send ICMPv6 ICMP6_ECHO_REQUEST packets to network hosts.
Requires the set-user-ID bit, set the permission mode to 4555.
.It Pa /var/www/bin/traceroute
The
.Xr traceroute 8
program used to print the route packets take to network hosts.
Requires the set-user-ID bit, set the permission mode to 4555.
.It Pa /var/www/bin/traceroute6
The
.Xr traceroute6 8
program used to print the route packets take to
.Xr inet6 4
network hosts.
Requires the set-user-ID bit, set the permission mode to 4555.
.El
.Sh SEE ALSO
.Xr bgpctl 8 ,
.Xr bgpd 8 ,
.Xr bgplgsh 8 ,
.Xr httpd 8 ,
.Xr slowcgi 8
.Sh HISTORY
The
.Nm
program first appeared in
.Ox 4.1 .
The initial implementation was done in 2005 for DE-CIX, the German
commercial internet exchange point.
.Sh AUTHORS
The
.Nm
program was written by
.An Reyk Floeter Aq Mt reyk@openbsd.org .
.Sh CAVEATS
To prevent commands from running endlessly,
.Nm
will kill the corresponding processes after a hard limit of 60 seconds.
For example, this can take effect when using
.Xr traceroute 8
with blackholed or bad routes.
View Git Blame Copy Permalink