DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd June 2016
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 30
Question Nginx w/ basic auth fails due to permissions

Hello,

Running 5.9 with nginx installed. Runs just fine under normal conditions with root:www, but utterly refuses to load the basic auth file regardless of permissions.

I'm presented with the opportunity to log in with a test user name and password, but I'm presented with a 403 afterwards for all requests. Looking in the errors log I find:

Code:
[error] 28120#0: *1 open() "/etc/nginx/auth_acs" failed (2: No such file or directory), client: 10.0.0.50, server: 10.0.0.2, request: "GET /gs/index.html HTTP/1.1", host: "10.0.0.2"
In my location directive I have some basic limitations by IP address (working just fine), and then two lines for the auth:

Code:
auth_basic           "Dev ACS Server";
auth_basic_user_file auth_acs;
The auth_acs file was populated with openssl passwd (w and w/o -apr1), as well as htpasswd, with no differences in 403 responses.

Permissions:
Code:
drwxr-xr-x  26 root    wheel    2.0K Jun 21 19:05 etc
drwxrwxr-x   2 root  www         512B Jun 22 14:49 nginx
-rwxrwxrwx   1 root  www     209B Jun 22 15:00 auth_acs
The moment I comment out the auth directives, everything is working again just fine. It seems that nginx cannot load the password file, even with that password file having 777 permissions.

While it's a very bad idea, I can't even change the user name of the nginx process to root to see if it work. Nginx refuses to start with it, which is probably a good thing.

Any advice on getting HTTP auth up and running?
Reply With Quote
  #2   (View Single Post)  
Old 23rd June 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,346
Default

I will guess you are running nginx chrooted, because that is the default configuration, and is likely why you are unable to reach the file. The default will not permit nginx to reach any file outside of the /var/www directory structure.

See the '-u' option in the nginx(8) man page to disable this security feature and permit nginx to access all filesystems.

---

Edited to add: if instead you operate nginx chrooted with all files inside /var/www, you will prevent a compromised webserver from reaching the rest of your data.

Last edited by jggimi; 23rd June 2016 at 12:26 AM. Reason: chroot is recommended
Reply With Quote
  #3   (View Single Post)  
Old 23rd June 2016
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 30
Default

Well, that's the only thing that has worked. Is that my only option?

Full paths don't seem to work either, even to a file that exists within the chroot '/var/www'. Is that a limitation of the auth directive itself? It doesn't matter what you put there, it will prefix '/etc/nginx/' to it. Using the following still gives the load error, even though the path works otherwise:

Code:
/etc/nginx/../../var/www/conf/auth_acs
It's very weird that nginx demands a security file be placed outside of the chroot that its worker process accesses.

Do you think this is a bug, or that I'm just misconfiguring nginx?
Reply With Quote
  #4   (View Single Post)  
Old 23rd June 2016
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 177
Default

When a program is run in a chroot, that directory becomes / to that program. So if nginx in chrooted into /var/www, all nginx sees is /. So your path in the nginx config can't include /var/www/something. It has to be just /something.

So if nginx looks at a hardcoded path of /etc/nginx/conf/auth_acs then you have to put the file in /var/www/etc/nginx/conf/auth_acs for nginx to find it in the chroot.

Disclaimer: I don't use nginx, I'm assuming nginx needs to access this file from inside the chroot and it doesn't have a helper process outside passing things in nor reads the file before chrooting.

Tim.
Reply With Quote
  #5   (View Single Post)  
Old 23rd June 2016
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 30
Default

@TronDD

There is no way to load the password file from within the chroot.

Here's the part you're missing:

Code:
/etc/nginx/conf/auth_acs
I never added the '/etc/nginx/'. See the configuration lines above. It will always add that to whatever I create. So whatever paths I put in the configuration file, even to a file within the chroot, become mangled with that prefixed "crap".

If I put the password file in '/var/www/conf/', there is no way to fool the configuration line into loading it. Using '../../var/www' can't work to escape out of the '/etc/nginx' back to root and then back into the chroot directory '/var/www/'.

If nginx would stop prefixing the path this might have a chance at working.

If I put the file where you suggest, then the configuration line will be mangled into this non-working line:

Code:
/etc/nginx/var/www/etc/nginx/conf/auth_acs
The problem is that nginx put a non-working path in. How the heck could basic auth ever work without disabling chroot?
Reply With Quote
  #6   (View Single Post)  
Old 23rd June 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,346
Default

Disclaimer: I use nginx, but not with auth.

The application begins with an unchrooted process, in order to read its configuration file. It then starts chrooted operational processes.

If the chrooted processes need to find the specific path /etc/nginx/conf/auth_acs, the path must actually be /var/www/etc/nginx/conf/auth_acs due to the chroot resolution.

You can't use symbolic links back to /etc; the chrooted process has no access to any paths outside /var/www, which it sees as "/" as trondd noted above.
Reply With Quote
  #7   (View Single Post)  
Old 24th June 2016
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 30
Default

Thank you, it's up and running now.

I needed to take the -u flag out of the init script (I had forgotten it there), make /var/www/etc/nginx with correct permissions, and have the just the filename in the configuration file.

On another note, openssl did not seem to generate working passwords, but htpasswd did.

Thanks again, guys.
Reply With Quote
Reply

Tags
openbsd nginx auth conf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openvpn-auth-ldap on openbsd 4.7 jespada OpenBSD General 2 26th August 2010 09:05 PM
Postfix and Dovecot SMTP auth configuration hints J65nko OpenBSD Packages and Ports 0 5th February 2010 02:53 AM
Courier IMAP/POP3 can't auth to mysql db revzalot OpenBSD Packages and Ports 5 6th September 2009 05:44 AM
Smtp Auth Help needed roundkat OpenBSD General 4 8th May 2009 08:25 PM
Problem with Postfix and Sasl auth unixbsd OpenBSD General 1 27th April 2009 03:26 AM


All times are GMT. The time now is 06:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick