Hiawatha - a secure webserver

hightower · 2006-12-15 17:22:10

Hiawatha claims to be a secure (securely designed) webserver.

Homepage: http://hiawatha.leisink.org/
Support-Forums: http://forum.leisink.org/viewforum.php?f=2

I uploaded the package to AUR --> http://aur.archlinux.org/packages.php?d … =1&ID=8437

hightower

EDIT: Improved PKGBUILD (thanks to Lone_Wolf and Snowman)
EDIT: New daemon script is now based on the portmap script (thanks to tomk)
EDIT: Typo in URL and improved daemon script (thanks to djscholl)
EDIT: New init script and new version
EDIT: hiwatha.install file added
EDIT: new version
EDIT: new version and uploaded to AUR

Last edited by hightower (2007-02-13 19:37:27)

Lone_Wolf · 2006-12-15 21:51:15

try this on the sources line :

source=('http://hiawatha.leisink.org/files/$pkgname-$pkgver.tar.gz' 'hiawatha')

That will mean less changes when a new version is released.

Other than that i think it looks good, but i'm no wiz on daemons.

Snowman · 2006-12-15 23:01:26

Lone_Wolf wrote:

try this on the sources line :

source=('http://hiawatha.leisink.org/files/$pkgname-$pkgver.tar.gz' 'hiawatha')

For that to work, you'll need to remove the single quotes or to replace them with double quotes.

I don't know if it matters but usually licenses are written in uppercase (GPL instead of gpl).

I'm also not familiar with daemon scripts. You could check some official deamon to see how they do it. That's what I usually do.

tomk · 2006-12-16 00:50:46

I always use /etc/rc.d/portmap as my starting point.

I don't know anything about hiawatha (although I'm going to check it out now ), but if it has runtime options, you might need a /etc/conf.d/hiawatha to handle them.

hightower · 2006-12-16 11:32:17

I used the daemon script of (I intended to use lighttpd, but it looked complicated) smartd as source but the script of portmap seems better to me, so I now have adapted the hiawatha script.

hightower

djscholl · 2006-12-16 21:19:03

Very minor point: typo in your url array (haiwatha)

I notice that the boot script supplied with hiawatha calls the wigwam binary before starting the daemon. I believe this checks the configuration file for correctness. Is this something you want to add to your boot script?

Not so minor point: according to the hiawatha man page, the hiawatha daemon is designed to switch to a non-root UID after it is started. This is done to improve security, and as hiawatha is a security-focused project, you might want to support this feature with your install. It appears that hiawatha by default will switch to 65534:65534, so it would seem to be better to set this explicitly. Also, the htdocs in the Arch apache package are put in /home/httpd rather than in /var/www, and you may want to follow this example. One way to handle both of these would be to create user:group hiawatha:hiawatha and put the files to be served in /home/hiawatha. To do this, you will need to add a hiawatha.install file to your tarball. If you want to see examples, one place to find them is in my elog package in the AUR. elog is a web server daemon, and I set it up to run as elog:elog and serve files out of /home/elog. If you do this, you may want to have your PKGBUILD set the ServerID in the httpd.conf, or at least warn the user how to set ServerID by having your hiawatha.install file print out a message at installation.

hightower · 2006-12-16 22:34:57

I know the issue with /var/www but as I found on the Arch Linux Mailing list a thread which dealt with this and came to no result, I left it, but if the /home directory is the Arch policy regarding daemons, I will change this.

The thing with the non-root UID came to my mind earlier and today, I played around a bit, and I'll make the necessary changes to the files.

hightower

hightower · 2006-12-17 11:50:13

# arg 1:  the new package version
post_install() {
  getent group hiawatha  >/dev/null || usr/sbin/groupadd hiawatha
  getent passwd hiawatha >/dev/null || usr/sbin/useradd -c "hiawatha webserver" 
    -g hiawatha -d /home/hiawatha -s /bin/false hiawatha -m
  usr/bin/passwd -l hiawatha &>/dev/null
  chown -R hiawatha:hiawatha /etc/hiawatha
  chown -R hiawatha:hiawatha /home/hiawatha
  chown -R hiawatha:hiawatha /var/log/hiawatha
  echo -e "n>>> Add hiawatha to the DAEMONS array in /etc/rc.conf if you want"
  echo -e ">>> the webserver to start at system boot-up.n"
  
}

# arg 1:  the new package version
# arg 2:  the old package version
post_upgrade() {
 post_install $1
}

# arg 1:  the old package version
pre_remove() {
  usr/sbin/userdel hiawatha &>/dev/null
  usr/sbin/groupdel hiawatha &>/dev/null
  
}

op=$1
shift

$op $*

I copied your install script :-) - is the "-m" option, which I included, for useradd appropriate?

I solved the problem with the non-root user by copying a modified httpd.conf file in the /pkg - directory.

EDIT: The FHS recommends to put the www stuff into /srv http://www.pathname.com/fhs/pub/fhs-2.3 … EDBYSYSTEM

hightower

djscholl · 2006-12-17 18:02:14

The -m option to useradd creates the user's home directory and populates it with skeleton directories and files. My opinion is that we should not use -m in the present context. This is not a login account. For security reasons, we don't want anyone logging in as elog or hiawatha. For this reason, the login shell on the account is set to /bin/false. Given that no user will actually have that directory as a home directory, there is no reason to have the skeleton files there. The directory can easily be included as part of the package (without skeleton files), as I did in the elog PKGBUILD, following the example of the apache PKGBUILD.

hightower · 2006-12-18 13:45:20

A new version of hiawatha was released yesterday.

Changelog form the project page:

hiawatha (5.3) stable; urgency=low
* Handling of not-available FastCGI servers.
* Large file support.
* Cache speed improvement.
* Total-connections-counter adjusted in case of ReconnectDelay.
* StartFile option now available inside a Directory section.
* 'newroot' and 'fcgi-server' scripts added to the Debian package
and the FreeBSD Makefile.
* CacheMinFilesize option added.
* Small bugfixes in the cache module.

-- Hugo Leisink <hugo> Sun, 17 Dec 2006 11:52:26 +0100

PKGBUILD adapted.

hightower

johnisevil · 2006-12-20 05:04:25

Personally, I suggest adding --localstatedir=/var to the configure line so Hiawatha's log and www directories are in /var like with how Apache is packaged.

hightower · 2006-12-20 14:51:48

This is already the case.

hightower

hightower · 2006-12-22 14:28:25

The start script doesn't work as it should if errors occur, I'm working on it.

hightower

EDIT: It's a bug, fixed in the next release

hightower · 2006-12-29 13:05:53

Today, a new version of hiawatha was released which fixed the bug with the exit codes. May someone please have a look over the init script? Thanks.

hightower

hightower · 2007-01-21 14:57:17

Version 5.5 was released:

Changelog (from the hiawatha website):

- Segmentation fault handler (just in case). Logs an alert to syslog.
- An 'include' configuration option can now handle a directory.
- CGI-wrapper logs errors to ErrorLogfile.
- Commandline options -k and -v added.
- LogFormat option added.
- UseGZfile option added.
- Alternative strcasecmp() en strncasecmp().
- 'cgi_wrapper' renamed to 'cgi-wrapper'.
- 'fcgi-server' replaced by 'php-fcgi'.
- 'newroot' installed via autotools.
- Complete code review and rewrites of 'old code'.
- Small bugfixes and improvements.

All files adapted.

hightower

hightower · 2007-02-13 19:34:42

I uploaded the package to AUR (http://aur.archlinux.org/packages.php?d … =1&ID=8437)

Version 5.6 was released:

Changelog (from the hiawatha website):

- Chrooted FastCGI server support.
- Configuration reading routine rewritten. Angle bracket sections are no longer available. Only curly bracket sections can be used.
- An error in a .hiawatha file results in a 500. An errormessage will be written to the ErrorLogfile.
- CommandChannel improved.
- AllowedCiphers option added.
- DHparameters option added.
- CGIwrapId option renamed to WrapCGI.
- FCGIserverId option renamed to FastCGIid.
- Small bugfixes and improvements.

hightower

Last edited by hightower (2007-02-13 19:47:57)

hightower · 2007-02-14 13:30:48

Hallo,

perhaps a TU could have a look over the uploaded files and flag it safe, if everthing is ok. Thanks.

Futhermore, the author (Hugo Leisink) is looking for some feedback concerning bugs, feature requests and so on.

hightower

hightower · 2007-03-07 13:22:56

New Version available: 5.7

Changelog (from the hiawatha website):

hiawatha (5.7) stable; urgency=medium
* RequireResolveIP option added.
* KillTimedoutCGI option added.
* Aliases added to directory index.
* Extended CommandChannel status output.
* Configurationfiles read in alfabetic order when including a directory.
* More errorlogging.
* (Fast)CGI code improvement.
* Small bugfixes and improvements.
* Bugfix: minor memory issue fixed in show_index().
* Bugfix: possible webserver crash due to bug in log_error().

hightower

Last edited by hightower (2007-03-07 13:23:40)

hightower · 2007-04-25 14:06:26

New Version available: 5.8

Changelog (from the hiawatha website):

hiawatha (5.8) stable; urgency=low
* Source-plugin has been removed. It's obsolete because of FastCGI.
* Entropy fix during SSL initialization if needed.
* UserDirectory option added.
* More error logging for Hiawatha and the CGI-wrapper.
* Added OpenSSL exception to the license file and libssl.c.
* Bugfixes and small improvements.

hightower

hightower · 2007-06-16 15:36:24

New Version available: 5.9

Changelog (from the hiawatha website):

hiawatha (5.9) stable; urgency=medium
*PUT and DELETE method implemented.
*204 No Content.
*Options EnableAlter, AlterGroup, AlterList and AlterMode added.
*Options PasswordFile and RequiredGroup have been changed.
*Better handling of URL encoded characters.
*Improved SQL/command injection and XSS prevention.
*Autoconf improvements (Thanks to Sander Niemeijer, again).
*Bugfix: alias in directory index also appeared in subdirectories.
*Bugfix: ranges were ignored while reading from cache.
*Bugfix: digest HTTP authentication failed when a comma was present
in the URL.
*Bugfix: small memory leak when reading a .hiawatha file.
*Small bugfixes and improvements.

hightower

hightower · 2007-06-23 17:20:42

As I go abroad for 2 1/2 month and won't have access to a suitable Computer and as I've to do my military service after this trip, I orphan the hiawatha package.

hightower

Arch Linux

#1 2006-12-15 17:22:10

Hiawatha - a secure webserver

#2 2006-12-15 21:51:15

Re: Hiawatha - a secure webserver

#3 2006-12-15 23:01:26

Re: Hiawatha - a secure webserver

#4 2006-12-16 00:50:46

Re: Hiawatha - a secure webserver

#5 2006-12-16 11:32:17

Re: Hiawatha - a secure webserver

#6 2006-12-16 21:19:03

Re: Hiawatha - a secure webserver

#7 2006-12-16 22:34:57

Re: Hiawatha - a secure webserver

#8 2006-12-17 11:50:13

Re: Hiawatha - a secure webserver

#9 2006-12-17 18:02:14

Re: Hiawatha - a secure webserver

#10 2006-12-18 13:45:20

Re: Hiawatha - a secure webserver

#11 2006-12-20 05:04:25

Re: Hiawatha - a secure webserver

#12 2006-12-20 14:51:48

Re: Hiawatha - a secure webserver

#13 2006-12-22 14:28:25

Re: Hiawatha - a secure webserver

#14 2006-12-29 13:05:53

Re: Hiawatha - a secure webserver

#15 2007-01-21 14:57:17

Re: Hiawatha - a secure webserver

#16 2007-02-13 19:34:42

Re: Hiawatha - a secure webserver

#17 2007-02-14 13:30:48

Re: Hiawatha - a secure webserver

#18 2007-03-07 13:22:56

Re: Hiawatha - a secure webserver

#19 2007-04-25 14:06:26

Re: Hiawatha - a secure webserver

#20 2007-06-16 15:36:24

Re: Hiawatha - a secure webserver

#21 2007-06-23 17:20:42

Re: Hiawatha - a secure webserver

Board footer