Hiawatha web server
July 13, 2008 —
BarryK
So far I am impressed. Hiawatha is small, with many features and was very easy to get going. It has SSL support and URL-rewriting. The author guarantees it to be secure! Here is the home page:
http://hiawatha.leisink.org/
Here is how I compiled and installed it:
# export webrootdir=/root/spot/hiawatha
UPDATE: now export webrootdir=/root/httpd/hiawatha
# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --build=i486-t2-linux-gnu --enable-xslt
# make
# new2dir make install
Then, set the 'suid' permission on /usr/sbin/hiawatha
# su spot
# hiawatha
# mozilla http://27.0.0.1:80/
# killall hiawatha
# exit
This also works:
# su -c '/usr/sbin/hiawatha -d' - spot &
However, I am very uncertain about the best way to set it up, for the security. Forgetting about that 'su' stuff, if I just execute 'hiawatha' it automatically runs as user 'nobody' -- which is good enough isn't it? So, there's no real need to have the 'webrootdir' inside /spot? -- so maybe I'll change webrootdir to /root/httpd/hiawatha.
Regarding PPLOG, yes, it works! It worked right off, well I had to edit a few lines in /etc/hiawatha/httpd.conf. I was able to post a comment, but when I wanted to edit the comment, I got an error message:
Insecure in open while running setuid at /root/spot/hiawatha/blog/pplog.pl line 901
...I messed around with file permissions, but no go. The problem is the first post is a file, created at /root/spot/hiawatha/blog/posts/00000.ppl, and this file is the problem --it was created ok but Hiawatha will not allow to open and edit it.
....so close!
Anyone skilled at this security/permissions side of things who can comment about the best way to setup the installation of Hiawatha?
Comments
HiawathaUsername: dogone
While I'm really not qualified to judge this project, I sure get a very good feeling from this site. Hiawatha would be a terrific addition to Puppy's toy box. Another thought. Hiawatha is sufficiently straight forward and well documented to encourage novices to build that first web sever. I'd like to think that that's part of Puppy's mission.
PPLOG fix
Username: prehistoric1
"While you're inside PPLOG could you change the part about creating a password so it takes two and compares them? This would cut down on excess identities, like the one I'm using now. PERL isn't one of my strong points. A friend's analysis of the language would serve for my opinion, "syntax soup".
taint check
Username: John_Doe
"Hi Barry, Regarding: "Insecure in open while running setuid at /root/spot/hiawatha/blog/pplog.pl line 901" I've had the same problem trying to run PPLOG under apache with suexec. I can't get perl to write files with anything other than root group owner. Check the ownership on the comment file that is written, it will probably have root as group owner. It all has something to do with Perl and "taint checks", but I never completely solved it. http://www.washington.edu/perl5man/pod/perlsec.html Hope this helps a bit.
Yay. Hiawatha looks Sweet.
Username: Feverfew
" And the part about it using the [i]Ban-hammer[/i] on bad hackers. I'm guna [i]Sooo[/i] Try This! :cool: @prehistoric1 Ya that stinks. Seamonkey remembers my pass ...But then-agen I don't have a bazillion Puppy's that I post from So IMHO a fix for the puppy hordes would be So cool. :n_n:
Re: Hiawatha
Username: BarryK
"prehistoric1, All suggestions for improving PPLOG should go to Fedekun the author right now, as he is working on the next version -- just click the PPLOG link on the left of this page to go to his site. John_Doe, I tried setting up with all combinations of user, group, permission, nothing worked. The Hiawatha config file allows setting what user:group it drops to and I tried variations on that too. But, as this is "in house", our own personal installation of Perl, I wonder if we can go into the Perl installation and hack something to make PPLOG work?
PPLOG now works
Username: BarryK
"John_Doe, Thanks for that link. I'm still confused, but I do have a workaround. I examined the Perl commandline options, and changed the first line in the PPLOG script to: #!/usr/bin/perl -U The description of '-U' is "allow unsafe operations" and it is probably an awful hack to use it. I'll leave it like that for now, so at least it is working. This will be in 4.1alpha4 and anyone who feels like examining it further feel free to do so.
setting hiawatha user
Username: lstandish
"From http://hiawatha.leisink.org/hiawatha/howto#3.1: "Because running a webserver as root is not very wise in most cases, Hiawatha will drop root privileges after startup by switching to user nobody. You can tell Hiawatha to switch to another user via de ServerId option: ServerId = www-data" Would this allow setting user "spot" without triggering perl taint mode?
Tags: puppy