From owner-freebsd-security@FreeBSD.ORG Sun Feb 18 14:16:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B5A216A402 for ; Sun, 18 Feb 2007 14:16:16 +0000 (UTC) (envelope-from alexis_susset@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2C3AF13C4A5 for ; Sun, 18 Feb 2007 14:16:16 +0000 (UTC) (envelope-from alexis_susset@mac.com) Received: from webmail028 (webmail028-S [10.13.128.28]) by smtpout.mac.com (Xserve/8.12.11/smtpout12/MantshX 4.0) with ESMTP id l1IE1ODT020849 for ; Sun, 18 Feb 2007 06:01:24 -0800 (PST) Date: Sun, 18 Feb 2007 06:01:24 -0800 From: Alexis Susset To: freebsd-security@freebsd.org Message-ID: <0F5FE7C6-0110-1000-A8A9-103194B6EEC0-Webmail-10018@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 80.133.38.29 Received: from [80.133.38.29] from webmail.mac.com with HTTP; Sun, 18 Feb 2007 06:01:24 -0800 X-Brightmail-Tracker: AAAAAA== X-Brightmail-scanned: yes Subject: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Feb 2007 14:16:16 -0000 Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost Those are the rules I have set: ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need more than usual. ** File System Security ** - Jail Security Solution: Build the jail with only required files, this is done via make.conf Deny access - Web users and executed web scripts shouldn't be able to read other users data Solution: run suPHP for php scripts as well as suEXEC for cgi-scripts implement ufs_acl so that the www (Web Server) user can access any user directory Add a ufs_acl to the Web users home directory which says: read-write-exec only from $owner and www Those rights should have priority on any traditional unix file system rights. - For the user's own security, prevent them from writing to /tmp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/) /usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap) Those rights should have priority on any traditional unix file system rights. I could make a longer list, this one's just ot get started. I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already? - Web users should be able to access their own crontab Solution: use ufs_acl to give rights to the crontab directory - Web users should be able to send emails Solution: use ufs_acl to give rights to the mail spool - Web users shouldn't be able to install binaries but still be able to install CGi scripts This is where I do not have a solution. Has anyone implemented such policy? This setup gives a lot of rights to the users, which is good for a flexible hosting. This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users. ** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better. ** Suggestion on this would be highly appreciated. Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting. All the best, -- Alexis Susset