darkPi
Posts: 2
Joined: Thu Sep 26, 2019 9:50 am

Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 10:06 am

Hi all

I managed to setup a simple POC where I use a simple HTML link (<a href>) to switch on/off a lamp connected to a RPi via a relay. I did this by putting together info from different tutorials and websites : downloading OS, setting up the Pi, installing apache, installing PHP, installing python, setting it up, getting a relay, hooking it up to the GPIO pins and hooking up the light etc :P

And then I found a tutorial on how to switch on/off the light using HTML/PHP. I followed it and got things to work BUT ... I feel the way it is done is quite insecure. It uses sudo and a hard coded pasword in the PHP to call the python script that manages the GPIO pins. And I can't help but think that this is not the best way :?

How would I go about manipulating the GPIO pins (simple on/off) using a button on a webpage in a secure way :?:

User avatar
DougieLawson
Posts: 36305
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 11:44 am

Easiest is write a cgi program that uses pigpio. That connects to the pigpiod daemon that does whatever is needed to wiggle your GPIO pins.

Pigpio has a python or a C/C++ interface.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

tpyo kingg
Posts: 626
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 12:00 pm

There is also the utility gpio which can manipulate the GPIO pins conveniently from either the shell, shell scripts, or perl's or python's respective system() functions.

Code: Select all

gpio readall
gpio -g mode 24 output

gpio -g write 24 1
gpio -g write 24 0
gpio -g toggle 24
gpio -g toggle 24
It's part of the wiringpi package, if it's not already there by default.

So with that your CGI could be a simple shell script without need for any parameters.

User avatar
DougieLawson
Posts: 36305
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 12:48 pm

tpyo kingg wrote:
Thu Sep 26, 2019 12:00 pm
It's part of the [deprecated] wiringpi package, if it's not already there by default.
http://wiringpi.com/wiringpi-deprecated/
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

tpyo kingg
Posts: 626
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 1:01 pm

Thanks. I had not seen that yet. So go all good things. :( Time to look for perl or python bindings after a short while.

Licensing violations seem to have been increasing by leaps and bounds around the world, affecting many projects. The position of high-profile institutions like the LF seem to be making that worse. I hope it does not decay beyond a point of no return.

Heater
Posts: 13592
Joined: Tue Jul 17, 2012 3:02 pm

Re: Secure way to manipulate GPIO from HTML button

Thu Sep 26, 2019 2:59 pm

So what about the "secure" part?

Secure against what?

If you are wanting access to your Pi and this web page from the internet as a minimum you should be sure to use HTTPS. And only HTTPS. For that you will need some security certificates and keys. You can get them for free from https://letsencrypt.org/ Where you will find good instructions on installing them to Apache.

That is only the beginning. You will need to implement a login page and such. You should try to follow all the recommendations for securing a we web site. For example: https://www.sensedeep.com/blog/posts/st ... klist.html There are many such checklists around the net.
Memory in C++ is a leaky abstraction .

darkPi
Posts: 2
Joined: Thu Sep 26, 2019 9:50 am

Re: Secure way to manipulate GPIO from HTML button

Thu Oct 10, 2019 7:21 pm

Hi all

thanks for the replies.

As for the "secure against what" question : secure against the password leaking. Sure, the sudo option works. But the solution required that I gave the user "www-data" sudo access. Then user www-data can launch the command to switch the GPIO pins using sudo, but it requires the password. That password is fed to the command but it means it is hardcoded. So if anything goes wrong and someone gets to the password they can abuse user www-data which has sudo access which to me sounds dangerous.

What I'm looking for is a button that enables / disables the GPIO pins in the most secure way possible.

Andyroo

Re: Secure way to manipulate GPIO from HTML button

Thu Oct 10, 2019 7:39 pm

You can limit the impact of sudo under www-data by creating a script to set / clear the pin and then using the sudoers file to grant access to the program only.

This link may help.

User avatar
DougieLawson
Posts: 36305
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Secure way to manipulate GPIO from HTML button

Fri Oct 11, 2019 11:05 am

Andyroo wrote:
Thu Oct 10, 2019 7:39 pm
You can limit the impact of sudo under www-data by creating a script to set / clear the pin and then using the sudoers file to grant access to the program only.

This link may help.
A better alternative is don't use sudo at all. Use the pigpiod daemon to control the pins. Drive pigpiod from the web cgi program with the python pigpio library.

No sudo means no security concerns.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Return to “General programming discussion”