From owner-freebsd-security@FreeBSD.ORG Sun Feb 18 14:16:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B5A216A402 for ; Sun, 18 Feb 2007 14:16:16 +0000 (UTC) (envelope-from alexis_susset@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2C3AF13C4A5 for ; Sun, 18 Feb 2007 14:16:16 +0000 (UTC) (envelope-from alexis_susset@mac.com) Received: from webmail028 (webmail028-S [10.13.128.28]) by smtpout.mac.com (Xserve/8.12.11/smtpout12/MantshX 4.0) with ESMTP id l1IE1ODT020849 for ; Sun, 18 Feb 2007 06:01:24 -0800 (PST) Date: Sun, 18 Feb 2007 06:01:24 -0800 From: Alexis Susset To: freebsd-security@freebsd.org Message-ID: <0F5FE7C6-0110-1000-A8A9-103194B6EEC0-Webmail-10018@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 80.133.38.29 Received: from [80.133.38.29] from webmail.mac.com with HTTP; Sun, 18 Feb 2007 06:01:24 -0800 X-Brightmail-Tracker: AAAAAA== X-Brightmail-scanned: yes Subject: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Feb 2007 14:16:16 -0000 Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost Those are the rules I have set: ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need more than usual. ** File System Security ** - Jail Security Solution: Build the jail with only required files, this is done via make.conf Deny access - Web users and executed web scripts shouldn't be able to read other users data Solution: run suPHP for php scripts as well as suEXEC for cgi-scripts implement ufs_acl so that the www (Web Server) user can access any user directory Add a ufs_acl to the Web users home directory which says: read-write-exec only from $owner and www Those rights should have priority on any traditional unix file system rights. - For the user's own security, prevent them from writing to /tmp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/) /usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap) Those rights should have priority on any traditional unix file system rights. I could make a longer list, this one's just ot get started. I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already? - Web users should be able to access their own crontab Solution: use ufs_acl to give rights to the crontab directory - Web users should be able to send emails Solution: use ufs_acl to give rights to the mail spool - Web users shouldn't be able to install binaries but still be able to install CGi scripts This is where I do not have a solution. Has anyone implemented such policy? This setup gives a lot of rights to the users, which is good for a flexible hosting. This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users. ** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better. ** Suggestion on this would be highly appreciated. Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting. All the best, -- Alexis Susset From owner-freebsd-security@FreeBSD.ORG Sun Feb 18 14:20:51 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 617BD16A400 for ; Sun, 18 Feb 2007 14:20:51 +0000 (UTC) (envelope-from admin@munai.com) Received: from olga.munai.com (olga.munai.com [213.251.171.78]) by mx1.freebsd.org (Postfix) with ESMTP id CD45513C4AA for ; Sun, 18 Feb 2007 14:20:50 +0000 (UTC) (envelope-from admin@munai.com) Received: from localhost (localhost [127.0.0.1]) by olga.munai.com (Postfix) with ESMTP id 0AF3E2A6 for ; Sun, 18 Feb 2007 14:54:12 +0100 (CET) X-Virus-Scanned: amavisd-new at munai.com Received: from olga.munai.com ([127.0.0.1]) by localhost (olga.munai.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIVn+NwmWqzn for ; Sun, 18 Feb 2007 14:54:09 +0100 (CET) Received: from [192.168.178.21] (p5085261D.dip0.t-ipconnect.de [80.133.38.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by olga.munai.com (Postfix) with ESMTP id D978E41 for ; Sun, 18 Feb 2007 14:54:08 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Alexis Susset Date: Sun, 18 Feb 2007 14:53:58 +0100 X-Mailer: Apple Mail (2.752.3) Subject: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Feb 2007 14:20:51 -0000 Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost Those are the rules I have set: ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need more than usual. ** File System Security ** - Jail Security Solution: Build the jail with only required files, this is done via make.conf Deny access - Web users and executed web scripts shouldn't be able to read other users data Solution: run suPHP for php scripts as well as suEXEC for cgi-scripts implement ufs_acl so that the www (Web Server) user can access any user directory Add a ufs_acl to the Web users home directory which says: read-write-exec only from $owner and www Those rights should have priority on any traditional unix file system rights. - For the user's own security, prevent them from writing to /tmp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/) /usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap) Those rights should have priority on any traditional unix file system rights. I could make a longer list, this one's just ot get started. I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already? - Web users should be able to access their own crontab Solution: use ufs_acl to give rights to the crontab directory - Web users should be able to send emails Solution: use ufs_acl to give rights to the mail spool - Web users shouldn't be able to install binaries but still be able to install CGi scripts This is where I do not have a solution. Has anyone implemented such policy? This setup gives a lot of rights to the users, which is good for a flexible hosting. This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users. ** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better. ** Suggestion on this would be highly appreciated. Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting. All the best, -- Alexis Susset From owner-freebsd-security@FreeBSD.ORG Wed Feb 21 10:14:48 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 182C116A53E for ; Wed, 21 Feb 2007 10:14:48 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from com1.ht-systems.ru (com1.ht-systems.ru [83.97.104.204]) by mx1.freebsd.org (Postfix) with ESMTP id 899AA13C442 for ; Wed, 21 Feb 2007 10:14:47 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from [85.21.245.235] (helo=phonon.SpringDaemons.com) by com1.ht-systems.ru with esmtpa (Exim 4.62) (envelope-from ) id 1HJoL8-0007P1-Je; Wed, 21 Feb 2007 13:04:47 +0300 Received: from localhost (localhost [IPv6:::1]) by phonon.SpringDaemons.com (Postfix) with SMTP id 2ED9D11491; Wed, 21 Feb 2007 13:14:26 +0300 (MSK) Date: Wed, 21 Feb 2007 13:14:21 +0300 From: Stanislav Sedov To: Alexis Susset Message-Id: <20070221131421.1709206a.stas@FreeBSD.org> In-Reply-To: References: Organization: The FreeBSD Project X-Mailer: carrier-pigeon X-Voice: +7 916 849 20 23 X-XMPP: ssedov@jabber.ru X-ICQ: 208105021 X-Yahoo: stanislav_sedov X-PGP-Fingerprint: F21E D6CC 5626 9609 6CE2 A385 2BF5 5993 EB26 9581 X-University: MEPhI Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Wed__21_Feb_2007_13_14_21_+0300_dCiNF.Yd8.525Egq" X-Spam-Flag: SKIP X-Spam-Yversion: Spamooborona 1.6.0 Cc: freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Feb 2007 10:14:48 -0000 --Signature=_Wed__21_Feb_2007_13_14_21_+0300_dCiNF.Yd8.525Egq Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Sun, 18 Feb 2007 14:53:58 +0100 Alexis Susset mentioned: > Hi all, > > I am looking at securing a web server using the FreeBSD MAC Framework. > > To make things clear I will call the hosted users "web users". Those > are the issues I am dealing with: > > ** Network Security ** > - Web users shouldn't be able to connect to reserved local ports > apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) > Solution: > run the web server and web users shell in a jail, use ipfw to limit > the jail access to localhost > Those are the rules I have set: > ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 > ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 > ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 > ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 > ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 > Here, I allow 80 and 443 in case the users want to locally use some > web APi. MySQL and smtp use are obvious. > > - Web users shouldn't be able to open any socket, but, they should > still be able to connect to the outside > This is where I do not have a solution. > I think the use of mac_bsdextended would work here, but there are no > clear way of doing this. > Anyone has a good configuration in place ? > You can use mac_portacl or net.inet.ip.portrange.reserved{high,low} to deny users from opening listening sockets. > > ** Resources Security ** > Solution: > This is a straight forward one, configure login.conf and the virtual > hosts with resources limits. > This can be adjusted for specific user who may need more than usual. > This isn't so straightforward as you can think. At least you should ensure all apps correctly initializes pam_session (e.g. suexec doesn't do that). Same for cron. > > ** File System Security ** > - Jail Security > Solution: > Build the jail with only required files, this is done via make.conf > Deny access > You can probably use read-only nullfs mounts to disallow file modifications inside jails. > - Web users and executed web scripts shouldn't be able to read other > users data > Solution: > run suPHP for php scripts as well as suEXEC for cgi-scripts > implement ufs_acl so that the www (Web Server) user can access any > user directory > Add a ufs_acl to the Web users home directory which says: > read-write-exec only from $owner and www > Those rights should have priority on any traditional unix file > system rights. I believe the suphp will be a amazingly slow solution as it executes php executable on each request, IIRC. Thus, the speed will not be faster then php in cgi. Regarding acls - you should also develop some solution, that allows acls to be inherited, as your users will complain when their newly created files will be unreadable by web-server (they will not set acls by hand, as you can see). The better solution will be probably to allow web-server group to read all files owned by users (via umask) and than separate users from each other via bsd_extended. > > - For the user's own security, prevent them from writing to /tmp > Solution: > add a ufs_acl rule to /tmp, this should be read only (for mysql > socket and other things that might reside here) > > - As much as possible, web users should have a limited view of the > systems > Solution: > use the follwing sysctl variable > security.bsd.see_other_uids=0 > security.bsd.unprivileged_read_msgbuf=0 > Since the web users are in a jail, set restricted devfs ruleset > (this is easily done via rc.conf) > jail_web_devfs_enable="YES" > jail_web_devfs_ruleset="devfsrules_jail" > > - Web users and executed web scripts shouldn't be able to read > important system files > Solution: > use ufs_acl to prevent the users from accessing the following: > /boot /root > /sbin /usr/sbin /usr/local/sbin > /var > /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, > services, mailer.conf, ssh/ssh_config and mail/) > /usr/local/etc (appart from tools/configs which are normally > required by the user. eg: nss-ldap) > Those rights should have priority on any traditional unix file > system rights. > I could make a longer list, this one's just ot get started. > I am sure there's a better way to do that, maybe a MAC ruleset > already exists for that, has anyone done that already? > > - Web users should be able to access their own crontab > Solution: use ufs_acl to give rights to the crontab directory > > - Web users should be able to send emails > Solution: use ufs_acl to give rights to the mail spool > > - Web users shouldn't be able to install binaries but still be able > to install CGi scripts > This is where I do not have a solution. > Has anyone implemented such policy? How will you differ CGI scripts and binaries? Binaries effectively cgi scripts too. -- Stanislav Sedov ST4096-RIPE --Signature=_Wed__21_Feb_2007_13_14_21_+0300_dCiNF.Yd8.525Egq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF3BuBK/VZk+smlYERApWyAJsGKX0Yr8t92Q8yCB2jzXFwlXAeIgCfY09a eX1JEBkR96JfuQHPguiC1RE= =zleH -----END PGP SIGNATURE----- --Signature=_Wed__21_Feb_2007_13_14_21_+0300_dCiNF.Yd8.525Egq-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 21 18:59:03 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7EA4D170EB9 for ; Wed, 21 Feb 2007 18:59:03 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.freebsd.org (Postfix) with SMTP id 2BA8413C4B3 for ; Wed, 21 Feb 2007 18:59:03 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 21 Feb 2007 18:32:20 -0000 Date: Wed, 21 Feb 2007 20:31:54 +0200 From: Nikolay Pavlov To: Stanislav Sedov Message-ID: <20070221183154.GA14590@zone3000.net> Mail-Followup-To: Nikolay Pavlov , Stanislav Sedov , Alexis Susset , freebsd-security@FreeBSD.org References: <20070221131421.1709206a.stas@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070221131421.1709206a.stas@FreeBSD.org> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Cc: Alexis Susset , freebsd-security@FreeBSD.org Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Feb 2007 18:59:03 -0000 On Wednesday, 21 February 2007 at 13:14:21 +0300, Stanislav Sedov wrote: > On Sun, 18 Feb 2007 14:53:58 +0100 > Alexis Susset mentioned: > > > Hi all, > > > > I am looking at securing a web server using the FreeBSD MAC Framework. > > > > To make things clear I will call the hosted users "web users". Those > > are the issues I am dealing with: > > > > ** Network Security ** > > - Web users shouldn't be able to connect to reserved local ports > > apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) > > Solution: > > run the web server and web users shell in a jail, use ipfw to limit > > the jail access to localhost > > Those are the rules I have set: > > ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 > > ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 > > ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 > > ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 > > ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 > > Here, I allow 80 and 443 in case the users want to locally use some > > web APi. MySQL and smtp use are obvious. > > > > - Web users shouldn't be able to open any socket, but, they should > > still be able to connect to the outside > > This is where I do not have a solution. > > I think the use of mac_bsdextended would work here, but there are no > > clear way of doing this. > > Anyone has a good configuration in place ? > > > > You can use mac_portacl or net.inet.ip.portrange.reserved{high,low} to > deny users from opening listening sockets. > > > > > ** Resources Security ** > > Solution: > > This is a straight forward one, configure login.conf and the virtual > > hosts with resources limits. > > This can be adjusted for specific user who may need more than usual. > > > > This isn't so straightforward as you can think. At least you should > ensure all apps correctly initializes pam_session (e.g. suexec doesn't > do that). Same for cron. > > > > > ** File System Security ** > > - Jail Security > > Solution: > > Build the jail with only required files, this is done via make.conf > > Deny access > > > > You can probably use read-only nullfs mounts to disallow file > modifications inside jails. > > > - Web users and executed web scripts shouldn't be able to read other > > users data > > Solution: > > run suPHP for php scripts as well as suEXEC for cgi-scripts > > implement ufs_acl so that the www (Web Server) user can access any > > user directory > > Add a ufs_acl to the Web users home directory which says: > > read-write-exec only from $owner and www > > Those rights should have priority on any traditional unix file > > system rights. > > I believe the suphp will be a amazingly slow solution as it executes > php executable on each request, IIRC. Thus, the speed will not be > faster then php in cgi. But is there any way to disbale related php functions? is there any well defined configuration examples for mod_php? > > Regarding acls - you should also develop some solution, that allows > acls to be inherited, as your users will complain when their newly > created files will be unreadable by web-server (they will not set > acls by hand, as you can see). The better solution will be probably to > allow web-server group to read all files owned by users (via umask) > and than separate users from each other via bsd_extended. > > > > > - For the user's own security, prevent them from writing to /tmp > > Solution: > > add a ufs_acl rule to /tmp, this should be read only (for mysql > > socket and other things that might reside here) > > > > - As much as possible, web users should have a limited view of the > > systems > > Solution: > > use the follwing sysctl variable > > security.bsd.see_other_uids=0 > > security.bsd.unprivileged_read_msgbuf=0 > > Since the web users are in a jail, set restricted devfs ruleset > > (this is easily done via rc.conf) > > jail_web_devfs_enable="YES" > > jail_web_devfs_ruleset="devfsrules_jail" > > > > - Web users and executed web scripts shouldn't be able to read > > important system files > > Solution: > > use ufs_acl to prevent the users from accessing the following: > > /boot /root > > /sbin /usr/sbin /usr/local/sbin > > /var > > /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, > > services, mailer.conf, ssh/ssh_config and mail/) > > /usr/local/etc (appart from tools/configs which are normally > > required by the user. eg: nss-ldap) > > Those rights should have priority on any traditional unix file > > system rights. > > I could make a longer list, this one's just ot get started. > > I am sure there's a better way to do that, maybe a MAC ruleset > > already exists for that, has anyone done that already? > > > > - Web users should be able to access their own crontab > > Solution: use ufs_acl to give rights to the crontab directory > > > > - Web users should be able to send emails > > Solution: use ufs_acl to give rights to the mail spool > > > > - Web users shouldn't be able to install binaries but still be able > > to install CGi scripts > > This is where I do not have a solution. > > Has anyone implemented such policy? > > How will you differ CGI scripts and binaries? Binaries effectively cgi > scripts too. This is possible to use pure-ftpd upload script with some file utility magic, but this is only for ftp access of course. -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ====================================================================== From owner-freebsd-security@FreeBSD.ORG Wed Feb 21 21:47:14 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA71916A400; Wed, 21 Feb 2007 21:47:14 +0000 (UTC) (envelope-from idiotbg@gmail.com) Received: from smtp.studnetz.uni-leipzig.de (smtp.studnetz.uni-leipzig.de [139.18.143.252]) by mx1.freebsd.org (Postfix) with ESMTP id 24A9313C4A8; Wed, 21 Feb 2007 21:47:14 +0000 (UTC) (envelope-from idiotbg@gmail.com) Received: from localhost (localhost [127.0.0.1]) by smtp.studnetz.uni-leipzig.de (Postfix) with ESMTP id D4FF9209; Wed, 21 Feb 2007 22:18:21 +0100 (CET) X-Virus-Scanned: by amavisd-new at studnetz-ul Received: from smtp.studnetz.uni-leipzig.de ([127.0.0.1]) by localhost (smtp.studnetz.uni-leipzig.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBd+WgzKIs1F; Wed, 21 Feb 2007 22:18:21 +0100 (CET) Received: from a144026.studnetz.uni-leipzig.de (a144026.studnetz.uni-leipzig.de [139.18.144.26]) by smtp.studnetz.uni-leipzig.de (Postfix) with ESMTP id 54CD7208; Wed, 21 Feb 2007 22:18:21 +0100 (CET) From: Momchil Ivanov To: Nikolay Pavlov , Stanislav Sedov , Alexis Susset , freebsd-security@freebsd.org Date: Wed, 21 Feb 2007 22:18:15 +0100 User-Agent: KMail/1.9.4 References: <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> In-Reply-To: <20070221183154.GA14590@zone3000.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1231061.BODpvLLaGh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702212218.19806.idiotbg@gmail.com> Cc: Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: idiotbg@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Feb 2007 21:47:14 -0000 --nextPart1231061.BODpvLLaGh Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =D0=9D=D0=B0 21.2.2007 19:31 Nikolay Pavlov =D0=BF=D0=B8=D1=88=D0=B5: > On Wednesday, 21 February 2007 at 13:14:21 +0300, Stanislav Sedov wrote: > > On Sun, 18 Feb 2007 14:53:58 +0100 > > > > Alexis Susset mentioned: > > > Hi all, > > > > > > I am looking at securing a web server using the FreeBSD MAC Framework. > > > > > > To make things clear I will call the hosted users "web users". Those > > > are the issues I am dealing with: > > > > > > ** Network Security ** > > > - Web users shouldn't be able to connect to reserved local ports > > > apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) > > > Solution: > > > run the web server and web users shell in a jail, use ipfw to limit > > > the jail access to localhost > > > Those are the rules I have set: > > > ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 > > > ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 > > > ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 > > > ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 > > > ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 > > > Here, I allow 80 and 443 in case the users want to locally use some > > > web APi. MySQL and smtp use are obvious. > > > > > > - Web users shouldn't be able to open any socket, but, they should > > > still be able to connect to the outside > > > This is where I do not have a solution. > > > I think the use of mac_bsdextended would work here, but there are no > > > clear way of doing this. > > > Anyone has a good configuration in place ? > > > > You can use mac_portacl or net.inet.ip.portrange.reserved{high,low} to > > deny users from opening listening sockets. > > > > > ** Resources Security ** > > > Solution: > > > This is a straight forward one, configure login.conf and the virtual > > > hosts with resources limits. > > > This can be adjusted for specific user who may need more than usual. > > > > This isn't so straightforward as you can think. At least you should > > ensure all apps correctly initializes pam_session (e.g. suexec doesn't > > do that). Same for cron. > > > > > ** File System Security ** > > > - Jail Security > > > Solution: > > > Build the jail with only required files, this is done via make.conf > > > Deny access > > > > You can probably use read-only nullfs mounts to disallow file > > modifications inside jails. > > > > > - Web users and executed web scripts shouldn't be able to read other > > > users data > > > Solution: > > > run suPHP for php scripts as well as suEXEC for cgi-scripts > > > implement ufs_acl so that the www (Web Server) user can access any > > > user directory > > > Add a ufs_acl to the Web users home directory which says: > > > read-write-exec only from $owner and www > > > Those rights should have priority on any traditional unix file > > > system rights. > > > > I believe the suphp will be a amazingly slow solution as it executes > > php executable on each request, IIRC. Thus, the speed will not be > > faster then php in cgi. > > But is there any way to disbale related php functions? is there any well > defined configuration examples for mod_php? Is this what you are looking for:=20 http://www.php.net/manual/en/features.safe-mode.php disable_functions string=20 This directive allows you to disable certain functions for security reasons= =2E=20 It takes on a comma-delimited list of function names. disable_functions is= =20 not affected by Safe Mode.=20 This directive must be set in php.ini For example, you cannot set this in=20 httpd.conf.=20 disable_classes string=20 This directive allows you to disable certain classes for security reasons. = It=20 takes on a comma-delimited list of class names. disable_classes is not=20 affected by Safe Mode.=20 This directive must be set in php.ini For example, you cannot set this in=20 httpd.conf. > > > Regarding acls - you should also develop some solution, that allows > > acls to be inherited, as your users will complain when their newly > > created files will be unreadable by web-server (they will not set > > acls by hand, as you can see). The better solution will be probably to > > allow web-server group to read all files owned by users (via umask) > > and than separate users from each other via bsd_extended. > > > > > - For the user's own security, prevent them from writing to /tmp > > > Solution: > > > add a ufs_acl rule to /tmp, this should be read only (for mysql > > > socket and other things that might reside here) > > > > > > - As much as possible, web users should have a limited view of the > > > systems > > > Solution: > > > use the follwing sysctl variable > > > security.bsd.see_other_uids=3D0 > > > security.bsd.unprivileged_read_msgbuf=3D0 > > > Since the web users are in a jail, set restricted devfs ruleset > > > (this is easily done via rc.conf) > > > jail_web_devfs_enable=3D"YES" > > > jail_web_devfs_ruleset=3D"devfsrules_jail" > > > > > > - Web users and executed web scripts shouldn't be able to read > > > important system files > > > Solution: > > > use ufs_acl to prevent the users from accessing the following: > > > /boot /root > > > /sbin /usr/sbin /usr/local/sbin > > > /var > > > /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, > > > services, mailer.conf, ssh/ssh_config and mail/) > > > /usr/local/etc (appart from tools/configs which are normally > > > required by the user. eg: nss-ldap) > > > Those rights should have priority on any traditional unix file > > > system rights. > > > I could make a longer list, this one's just ot get started. > > > I am sure there's a better way to do that, maybe a MAC ruleset > > > already exists for that, has anyone done that already? > > > > > > - Web users should be able to access their own crontab > > > Solution: use ufs_acl to give rights to the crontab directory > > > > > > - Web users should be able to send emails > > > Solution: use ufs_acl to give rights to the mail spool > > > > > > - Web users shouldn't be able to install binaries but still be able > > > to install CGi scripts > > > This is where I do not have a solution. > > > Has anyone implemented such policy? > > > > How will you differ CGI scripts and binaries? Binaries effectively cgi > > scripts too. > > This is possible to use pure-ftpd upload script with some file utility > magic, but this is only for ftp access of course. =2D-=20 This correspondence is strictly confidential. Any screening, filtering and/or production for the purpose of public or otherwise disclosure is forbidden without written permission by the author signed above. If you are not the intended recipient, please immediately notify the sender and permanently delete any copies PGP KeyID: 0x3118168B Keyserver: pgp.mit.edu Key fingerprint BB50 2983 0714 36DC D02E 158A E03D 56DA 3118 168B --nextPart1231061.BODpvLLaGh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBF3Lcb4D1W2jEYFosRAkKqAKC6aDSjjml/I8nmZNh/mPY+T02LuwCfXbS4 l6dnNTOATswL1L0dMZOnmDI= =fRBI -----END PGP SIGNATURE----- --nextPart1231061.BODpvLLaGh-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 23 16:17:14 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 82A3A16A402 for ; Fri, 23 Feb 2007 16:17:14 +0000 (UTC) (envelope-from mailinglists@tca-cable-connector.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id D540713C49D for ; Fri, 23 Feb 2007 16:17:13 +0000 (UTC) (envelope-from mailinglists@tca-cable-connector.com) Received: from [218.16.58.208] (helo=munin.tcaportal.com) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1HKd6a3h6D-00031Q; Fri, 23 Feb 2007 17:17:10 +0100 Received: from [10.0.1.102] (unknown [219.132.233.72]) by munin.tcaportal.com (Postfix) with ESMTP id 67DD7A6C62 for ; Sat, 24 Feb 2007 00:14:55 +0800 (HKT) Mime-Version: 1.0 (Apple Message framework v752.3) References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> Content-Transfer-Encoding: 7bit From: David Schulz Date: Sat, 24 Feb 2007 00:17:00 +0800 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.752.3) X-Provags-ID: kundenserver.de abuse@kundenserver.de login:1405312fe15d228f5bad0d2fcbb6dc17 X-Provags-ID2: V01U2FsdGVkX19WZ32FjRfdMxbJthYsombp/hGMnERT0N/FAASZ1EEs1mqaUnn8GzkbdSjIViOlYPPbEjWtORtIcgfL1D3ivi3qOKqdnt4fur+6ftjU4k9frQ== Subject: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Feb 2007 16:17:14 -0000 Hello and good day, i have setup a Server which is directly connected to the Internet, without NAT-Router or other Firewall Appliance. I am using FreeBSD 6.2. I have pf enabled to only allow traffic on specified Ports. I am using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There is only one /home/User, which authenticates via a Key with Pass- phrase to sshd. The Mail-users all authenticate to a mysql database. I know that i could make use of chroot or better jail to secure the machine from possible exploits in postfix & co, but i am not yet comfortable with jail. Other then keeping my Ports (and system) up to date, can you give me some tips on how to secure my Box a little bit? Thanks a lot, David From owner-freebsd-security@FreeBSD.ORG Sat Feb 24 09:05:08 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF82716A401 for ; Sat, 24 Feb 2007 09:05:08 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (dsl081-227-250.chi1.dsl.speakeasy.net [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id 4D1C313C48E for ; Sat, 24 Feb 2007 09:05:06 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.8/8.12.11) with ESMTP id l1NIvlPe065189; Fri, 23 Feb 2007 12:57:48 -0600 (CST) Message-Id: <6.0.0.22.2.20070223125703.025529d8@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 23 Feb 2007 12:57:38 -0600 To: David Schulz , freebsd-security@freebsd.org From: Derek Ragona In-Reply-To: <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.c om> References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Feb 2007 09:05:09 -0000 You might want to use /etc/hosts.allow to restrict some protocols further. -Derek At 10:17 AM 2/23/2007, David Schulz wrote: >Hello and good day, > >i have setup a Server which is directly connected to the Internet, >without NAT-Router or other Firewall Appliance. I am using FreeBSD >6.2. I have pf enabled to only allow traffic on specified Ports. I am >using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There >is only one /home/User, which authenticates via a Key with Pass- phrase to >sshd. The Mail-users all authenticate to a mysql database. >I know that i could make use of chroot or better jail to secure the >machine from possible exploits in postfix & co, but i am not yet >comfortable with jail. Other then keeping my Ports (and system) up to >date, can you give me some tips on how to secure my Box a little bit? > >Thanks a lot, >David >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From owner-freebsd-security@FreeBSD.ORG Sat Feb 24 18:29:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86B3416A400 for ; Sat, 24 Feb 2007 18:29:04 +0000 (UTC) (envelope-from bob@dexis.net) Received: from mail.dexis.net (eni-209-101-30-22.dexis.net [209.101.30.22]) by mx1.freebsd.org (Postfix) with ESMTP id 5F98613C441 for ; Sat, 24 Feb 2007 18:29:04 +0000 (UTC) (envelope-from bob@dexis.net) Received: from [209.101.30.68] (bobvaio.dexis.net [209.101.30.68]) by mail.dexis.net (8.11.6/DEC.011201.11) with ESMTP id l1OHwBN15266; Sat, 24 Feb 2007 09:58:12 -0800 Message-ID: <45E07C95.8040606@dexis.net> Date: Sat, 24 Feb 2007 09:57:41 -0800 From: Bob Madore User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Derek Ragona References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> <6.0.0.22.2.20070223125703.025529d8@mail.computinginnovations.com> In-Reply-To: <6.0.0.22.2.20070223125703.025529d8@mail.computinginnovations.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: David Schulz , freebsd-security@freebsd.org Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bob@dexis.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Feb 2007 18:29:04 -0000 Another program to consider is DenyHosts http://denyhosts.sourceforge.net/ It works exceptionally well. Bob Derek Ragona wrote: > You might want to use /etc/hosts.allow to restrict some protocols > further. > > -Derek > > > At 10:17 AM 2/23/2007, David Schulz wrote: >> Hello and good day, >> >> i have setup a Server which is directly connected to the Internet, >> without NAT-Router or other Firewall Appliance. I am using FreeBSD >> 6.2. I have pf enabled to only allow traffic on specified Ports. I am >> using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There >> is only one /home/User, which authenticates via a Key with Pass- >> phrase to sshd. The Mail-users all authenticate to a mysql database. >> I know that i could make use of chroot or better jail to secure the >> machine from possible exploits in postfix & co, but i am not yet >> comfortable with jail. Other then keeping my Ports (and system) up to >> date, can you give me some tips on how to secure my Box a little bit? >> >> Thanks a lot, >> David >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >