Re: NEW: www/hiawatha-5.4
Hi, On Sun, 31.12.2006 at 14:18:54 +0100, Antoine Jacoutot [EMAIL PROTECTED] wrote: While I totally understand Marc's comment, he just wonders what a full scale audit would reveal... maybe nothing! ugh. Bad assumption if you try to be secure by default. By the way, this is true for other ports too. For info, the daemon cannot be run at root. It is a small software so it shouldn't be to hard to audit if people want to. FWIW, I was also recently looking for a small webserver after I initially looked into lighttpd, and came across nginx which I find even more promising. Best, --Toni++
Re: NEW: www/hiawatha-5.4
On Thu, Jan 11, 2007 at 11:09:29AM +0100, Toni Mueller wrote: Hi, On Sun, 31.12.2006 at 14:18:54 +0100, Antoine Jacoutot [EMAIL PROTECTED] wrote: While I totally understand Marc's comment, he just wonders what a full scale audit would reveal... maybe nothing! ugh. Bad assumption if you try to be secure by default. By the way, this is true for other ports too. For info, the daemon cannot be run at root. It is a small software so it shouldn't be to hard to audit if people want to. FWIW, I was also recently looking for a small webserver after I initially looked into lighttpd, and came across nginx which I find even more promising. http://secure.lv/~nikns/stuff/ports/nginx-0.4.7.tar if interested it is very popular in ex-soviet-union ;] infact, jan[lighttpd] and sesojev[nginx] are exchanging with ideas and perhaps with code, dono. Best, --Toni++
Re: NEW: www/hiawatha-5.4
Marc Espie wrote: Well, I was probably a bit harsh on my first comments wrt hiawatha. One actually nice feature of this program is that it is reasonably small. Someone with incentive could probably audit it. Since it is under the GPL, the OpenBSD project has little incentive in looking at it very closely... You might want to a closer look a www/nostromo, a secure and small webserver written by [EMAIL PROTECTED] Antoine fixed hiawatha so that it does not abuse user nobody, so that one issue doesn't exist on OpenBSD. Just looking shows me there is probably a race condition on signals. Using the same variable for TERM/USR1/USR2 is asking for trouble... and the variable is an int, not a sigatomic_t (whch is innocuous on most arches, but still). Some printf's are not portable... like printing getpid with %d (okay, this is a stretch). the str2int function has absolutely no overflow handling and uses 48 directly, which is totally icky. This means that a few functions have no protection against user error, which is probably not too bad. Like I already noticed, there is no handler for seg faults, not even something to log an error message (which is about all that should happen, but this SHOULD happen). I've looked a bit more, but the coding layout is a bit bizarre. I'm not a big fan of code that indents out to column 160 or so... There are LOTS of hand-coded length computations based on strings, and use of unsafe string functions, or error-prone stuff (between atoi, str2int, strncpy, and friends...). I don't think it's incredibly bad, but it doesn't look incredibly good either...
Re: NEW: www/hiawatha-5.4
On Fri, Dec 29, 2006 at 07:30:12AM +0100, Antoine Jacoutot wrote: pkg/DESCR Hiawatha is a secure webserver for Unix. It has been written with 'being secure' as its main goal. Hiawatha has many security features that no other webserver has. Hiawatha does not have all the fancy features, but it is very secure and fast and is really easy to configure. Rootjail, run CGIs under any uid/gid you want, prevention of SQL injection and cross-site scripting, banning of clients who try such exploits and many other features make Hiawatha an interesting webserver for those who need more security than what the other available webservers are offering. Tested under i386, sparc64 and macppc. comments? ok? I'll try to give it a spin tomorrow, but I find it hard to reconcile the above with http://marc.theaimsgroup.com/?l=openbsd-portsm=116722882621269w=2 (Marc Espie (espie@) says he is 'shuddering about what a full scale audit would reveal'). Even if you disagree with Marc, wouldn't it be a good idea to have some warning somewhere - perhaps in a SECURITY file? Joachim
Re: NEW: www/hiawatha-5.4
On Fri, 29 Dec 2006, Joachim Schipper wrote: I'll try to give it a spin tomorrow, but I find it hard to reconcile the above with http://marc.theaimsgroup.com/?l=openbsd-portsm=116722882621269w=2 (Marc Espie (espie@) says he is 'shuddering about what a full scale audit would reveal'). Even if you disagree with Marc, wouldn't it be a good idea to have some warning somewhere - perhaps in a SECURITY file? While I totally understand Marc's comment, he just wonders what a full scale audit would reveal... maybe nothing! By the way, this is true for other ports too. For info, the daemon cannot be run at root. It is a small software so it shouldn't be to hard to audit if people want to. -- Antoine
Re: NEW: www/hiawatha-5.4
On Sun, Dec 31, 2006 at 02:18:54PM +0100, Antoine Jacoutot wrote: On Fri, 29 Dec 2006, Joachim Schipper wrote: I'll try to give it a spin tomorrow, but I find it hard to reconcile the above with http://marc.theaimsgroup.com/?l=openbsd-portsm=116722882621269w=2 (Marc Espie (espie@) says he is 'shuddering about what a full scale audit would reveal'). Even if you disagree with Marc, wouldn't it be a good idea to have some warning somewhere - perhaps in a SECURITY file? While I totally understand Marc's comment, he just wonders what a full scale audit would reveal... maybe nothing! By the way, this is true for other ports too. For info, the daemon cannot be run at root. It is a small software so it shouldn't be to hard to audit if people want to. Oh, it's certainly not the only port with questionable security - but remember that Ethereal was pulled from the tree explicitly for its lack of security, and also note that something like php or ImageMagick - which are useful, but not as secure as one might like - doesn't have a MESSAGE boasting that it is the next big security revolution. Also, sorry for the slow reaction on the first post - it got stuck on my laptop, that'll teach me to mess around with Postfix without restoring the settings later. And sorry for this slow message - I'd promised to test it earlier, and it's already committed (it builds fine, FWIW). Joachim
Re: NEW: www/hiawatha-5.4
On Sun, 31 Dec 2006, Joachim Schipper wrote: Oh, it's certainly not the only port with questionable security - but remember that Ethereal was pulled from the tree explicitly for its lack Yes, but it was running as root IIRC. of security, and also note that something like php or ImageMagick - which are useful, but not as secure as one might like - doesn't have a MESSAGE boasting that it is the next big security revolution. Exactly. Also, sorry for the slow reaction on the first post - it got stuck on my laptop, that'll teach me to mess around with Postfix without restoring the settings later. And sorry for this slow message - I'd promised to test it earlier, and it's already committed (it builds fine, FWIW). Hey no problem. Late feedback is better than no feedback. Before committing it, hiawatha was tested under i386, amd64, sparc64, macppc and zaurus ;-) Cheers! -- Antoine
Re: NEW: www/hiawatha-5.4
On Sun, 31 Dec 2006, Adam wrote: as if that is all it takes to make it secure. The DESCR should not brag about how secure it is unless its actually true. A little the author claims its secure, but it hasn't been audited note or something would be nice. Hum actually that makes sense. I'll look into that. -- Antoine
Re: NEW: www/hiawatha-5.4
Antoine Jacoutot [EMAIL PROTECTED] wrote: On Fri, 29 Dec 2006, Joachim Schipper wrote: I'll try to give it a spin tomorrow, but I find it hard to reconcile the above with http://marc.theaimsgroup.com/?l=openbsd-portsm=116722882621269w=2 (Marc Espie (espie@) says he is 'shuddering about what a full scale audit would reveal'). Even if you disagree with Marc, wouldn't it be a good idea to have some warning somewhere - perhaps in a SECURITY file? While I totally understand Marc's comment, he just wonders what a full scale audit would reveal... maybe nothing! By the way, this is true for other ports too. Its not that the software may be insecure that's the issue. Its the current trend of people writing software and putting secure into its feature list as if that is all it takes to make it secure. The DESCR should not brag about how secure it is unless its actually true. A little the author claims its secure, but it hasn't been audited note or something would be nice. Adam
