Hiawatha web server

So far I am impressed. Hiawatha is small, with many features and was very easy to get going. It has SSL support and URL-rewriting. The author guarantees it to be secure! Here is the home page:

http://hiawatha.leisink.org/

Here is how I compiled and installed it:

# export webrootdir=/root/spot/hiawatha
UPDATE: now export webrootdir=/root/httpd/hiawatha
# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --build=i486-t2-linux-gnu --enable-xslt
# make
# new2dir make install

Then, set the 'suid' permission on /usr/sbin/hiawatha

# su spot
# hiawatha
# mozilla http://27.0.0.1:80/
# killall hiawatha
# exit

This also works:

# su -c '/usr/sbin/hiawatha -d' - spot &


However, I am very uncertain about the best way to set it up, for the security. Forgetting about that 'su' stuff, if I just execute 'hiawatha' it automatically runs as user 'nobody' -- which is good enough isn't it? So, there's no real need to have the 'webrootdir' inside /spot? -- so maybe I'll change webrootdir to /root/httpd/hiawatha.

Regarding PPLOG, yes, it works! It worked right off, well I had to edit a few lines in /etc/hiawatha/httpd.conf. I was able to post a comment, but when I wanted to edit the comment, I got an error message:
Insecure in open while running setuid at /root/spot/hiawatha/blog/pplog.pl line 901
...I messed around with file permissions, but no go. The problem is the first post is a file, created at /root/spot/hiawatha/blog/posts/00000.ppl, and this file is the problem --it was created ok but Hiawatha will not allow to open and edit it.
....so close!

Anyone skilled at this security/permissions side of things who can comment about the best way to setup the installation of Hiawatha?


Posted on 13 Jul 2008, 12:54


Comments:

Posted on 12 Jul 2008, 23:34 by dogone
Hiawatha
While I'm really not qualified to judge this project, I sure get a very good feeling from this site. Hiawatha would be a terrific addition to Puppy's toy box.

Another thought. Hiawatha is sufficiently straight forward and well documented to encourage novices to build that first web sever. I'd like to think that that's part of Puppy's mission.


Posted on 13 Jul 2008, 3:56 by prehistoric1
PPLOG fix
While you're inside PPLOG could you change the part about creating a password so it takes two and compares them? This would cut down on excess identities, like the one I'm using now.

PERL isn't one of my strong points. A friend's analysis of the language would serve for my opinion, "syntax soup".


Posted on 13 Jul 2008, 5:35 by John_Doe
taint check
Hi Barry,

Regarding: "Insecure in open while running setuid at /root/spot/hiawatha/blog/pplog.pl line 901"

I've had the same problem trying to run PPLOG under apache with suexec. I can't get perl to write files with anything other than root group owner. Check the ownership on the comment file that is written, it will probably have root as group owner.

It all has something to do with Perl and "taint checks", but I never completely solved it.

http://www.washington.edu/perl5man/pod/perlsec.html

Hope this helps a bit.


Posted on 13 Jul 2008, 8:04 by Feverfew
Yay. Hiawatha looks Sweet.

And the part about it using the Ban-hammer on bad hackers. I'm guna Sooo Try This!



@prehistoric1
Ya that stinks. Seamonkey remembers my pass ...But then-agen I don't have a bazillion Puppy's that I post from So IMHO a fix for the puppy hordes would be So cool.



Posted on 13 Jul 2008, 8:32 by BarryK
Re: Hiawatha
prehistoric1,
All suggestions for improving PPLOG should go to Fedekun the author right now, as he is working on the next version -- just click the PPLOG link on the left of this page to go to his site.

John_Doe,
I tried setting up with all combinations of user, group, permission, nothing worked. The Hiawatha config file allows setting what user:group it drops to and I tried variations on that too.
But, as this is "in house", our own personal installation of Perl, I wonder if we can go into the Perl installation and hack something to make PPLOG work?


Posted on 13 Jul 2008, 8:56 by BarryK
PPLOG now works
John_Doe,
Thanks for that link. I'm still confused, but I do have a workaround. I examined the Perl commandline options, and changed the first line in the PPLOG script to:
#!/usr/bin/perl -U

The description of '-U' is "allow unsafe operations" and it is probably an awful hack to use it. I'll leave it like that for now, so at least it is working. This will be in 4.1alpha4 and anyone who feels like examining it further feel free to do so.



Posted on 13 Jul 2008, 10:45 by lstandish
taint mode
I think that if you just run hiawatha without the setuid, letting it execute as user "nobody", the perl taint mode will not be triggered (as it automatically is when it detects setuid or setgid, even when perl is not passed the -T). I expect to try this on my own Puppy and let you know. (I can't download 4.1alpha4 without travelling to a distant city where I can get broadband.)


Posted on 13 Jul 2008, 11:30 by lstandish
setting hiawatha user
From http://hiawatha.leisink.org/hiawatha/howto#3.1:

"Because running a webserver as root is not very wise in most cases, Hiawatha will drop root privileges after startup by switching to user nobody. You can tell Hiawatha to switch to another user via de ServerId option:
ServerId = www-data"

Would this allow setting user "spot" without triggering perl taint mode?