can I change the uhttpd user from root to something else (maybe a www or http user) that is NOT root?
I ask this for sake of security.
does doing this make luci not work anymore?
or is it just the default and can be changed without problems?
what if the port uhttpd listens on is changed from 80 to something higher that 1024?
Disable HTTP/HTTPS and use SSH or allow access to management ports only via VPN.
Using SSH, set up public key authentication and disable password authentication.
2 Likes
I need the uhttpd for rutorrent and also I like luci's ease of use.
I didnt mean to say that I need to disbale httpd
yes you can.
nginx is also available.
For clarification, you’re asking about the process owner, not the credentials that LuCI requires, yes?
I am not running for the presidency of USA. 
please quote the relevant part when you answer.
yes.
my issue is two fold.
first (less important) is that I am trying to lower the number of processes that use root privileges.
is modifying uhttpd to not be run as non-root possible, and also does that make using luci ussless? because it issues command for root-related jobs , like upgrading a firmware and installing apps and changing configs.
my second issue it that running uhhtpd as root on my openwrt for an rutorrent instance messes with files permissions on rutorrent folder.
I am trying to run the second instance of uhttpd (on higher than 1024 port) for rutorrent.
this is my main issue and more important one.
I have checked both lighttpd and nginx.
but getting rutorrent to run on them was not working and also I like to have a small number of packages installed.
Not easily. You could edit the init script to instruct procd to launch uhttpd as other user, but then it'll likely lack permissions to bind port 80. The uhttpd program itself does not support privilege dropping.
Correct, this will cause LuCI to get executed with non-root privilieges which will prevent it from working correctly.
That would allow running uhttpd as non-root at least, but then you still need to somehow ensure that /www/cgi-bin/luci is executed as root. Maybe setuid on the executable would work, but I didn't really test.
1 Like
Nginx does not support CGI, which is required by LuCI to function.
I know it was a challenge in the past, but the collection luci-ssl-nginx seems to be a turn-key solution to using nginx and LuCI.
(With the understanding that all of my builds are off master and it may not be present in v18 builds.)
If rutorrent itself initiates another uhttpd instance then it would be better IMO to run rutorrent under a non-root user.
rutorrent doesn't "initiate" anything.
it is just a folder with php script and files.
I added the folder to uhttpd.conf like this
"config uhttpd 'rutorrent'
list interpreter '.php=/usr/bin/php-cgi'
option listen_http 'xxxx' #port higher than 1024
option home '/mnt/path to turorrent folder/ruTorrent/'
but maybe I should just run another instance of uhttpd with a completely different config separate from the luci instance.
will try to do that and see if it work.
ok
I created a script (just so I don't have to type the commands from memory) and I created another instance of uhttpd with my rutorrent option and it works well.
now I don't have to run my whole rutorrent uhttpd as root and my permissions issues are hopefully gone.
thanks for all the answers.
2 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.