From owner-freebsd-security@FreeBSD.ORG Sun Feb 18 14:20:51 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 617BD16A400 for ; Sun, 18 Feb 2007 14:20:51 +0000 (UTC) (envelope-from admin@munai.com) Received: from olga.munai.com (olga.munai.com [213.251.171.78]) by mx1.freebsd.org (Postfix) with ESMTP id CD45513C4AA for ; Sun, 18 Feb 2007 14:20:50 +0000 (UTC) (envelope-from admin@munai.com) Received: from localhost (localhost [127.0.0.1]) by olga.munai.com (Postfix) with ESMTP id 0AF3E2A6 for ; Sun, 18 Feb 2007 14:54:12 +0100 (CET) X-Virus-Scanned: amavisd-new at munai.com Received: from olga.munai.com ([127.0.0.1]) by localhost (olga.munai.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIVn+NwmWqzn for ; Sun, 18 Feb 2007 14:54:09 +0100 (CET) Received: from [192.168.178.21] (p5085261D.dip0.t-ipconnect.de [80.133.38.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by olga.munai.com (Postfix) with ESMTP id D978E41 for ; Sun, 18 Feb 2007 14:54:08 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Alexis Susset Date: Sun, 18 Feb 2007 14:53:58 +0100 X-Mailer: Apple Mail (2.752.3) Subject: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Feb 2007 14:20:51 -0000 Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost Those are the rules I have set: ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need more than usual. ** File System Security ** - Jail Security Solution: Build the jail with only required files, this is done via make.conf Deny access - Web users and executed web scripts shouldn't be able to read other users data Solution: run suPHP for php scripts as well as suEXEC for cgi-scripts implement ufs_acl so that the www (Web Server) user can access any user directory Add a ufs_acl to the Web users home directory which says: read-write-exec only from $owner and www Those rights should have priority on any traditional unix file system rights. - For the user's own security, prevent them from writing to /tmp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/) /usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap) Those rights should have priority on any traditional unix file system rights. I could make a longer list, this one's just ot get started. I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already? - Web users should be able to access their own crontab Solution: use ufs_acl to give rights to the crontab directory - Web users should be able to send emails Solution: use ufs_acl to give rights to the mail spool - Web users shouldn't be able to install binaries but still be able to install CGi scripts This is where I do not have a solution. Has anyone implemented such policy? This setup gives a lot of rights to the users, which is good for a flexible hosting. This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users. ** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better. ** Suggestion on this would be highly appreciated. Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting. All the best, -- Alexis Susset