From owner-freebsd-security@FreeBSD.ORG Wed May 3 13:49:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B51CF16A405 for ; Wed, 3 May 2006 13:49:42 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5970E43D48 for ; Wed, 3 May 2006 13:49:42 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 58C9723C for ; Wed, 3 May 2006 15:49:40 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Wed, 3 May 2006 15:49:39 +0200 X-Mailer: Apple Mail (2.749.3) Subject: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2006 13:49:42 -0000 Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba, we define a range of uids as sysctl variables to be used as "compartiments". For example, mac.mac_uids.lowuid mac.mac_uids.highid And it would be implemented so that: Below a given security level, (mac.mac_uids.enforce_below) - Any operation of a subject with uid x (between lowuid and highuid) on an object with uid y (between lowuid and highuid) would fail. - A subject with a given security level could not modify an object with a higher security level. This, combined with a chroot tree would (I think) be much better than the typical solutions available. The webserver process would be launched as a low-security subject, and it is assumed that it would make a setuid() before launching a CGI process. And perhaps it wouldn't be so hard to modify an existing webserver so that it changed the uid when serving a page associated with a virtual server, adding a uid parameter to virtual servers. What do you think? Ideas? (This is only a quick and dirty idea) Borja.