Date: Sun, 18 Feb 2007 14:53:58 +0100 From: Alexis Susset <admin@munai.com> To: freebsd-security@freebsd.org Subject: Secure shared web hosting using MAC Framework Message-ID: <E6A3BDDE-909D-4217-A773-9C8106358CD2@munai.com>
next in thread | raw e-mail | index | archive | help
Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost Those are the rules I have set: ${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0 ${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0 ${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0 ${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0 ${fwcmd} add 80 deny ip from any to any jail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need more than usual. ** File System Security ** - Jail Security Solution: Build the jail with only required files, this is done via make.conf Deny access - Web users and executed web scripts shouldn't be able to read other users data Solution: run suPHP for php scripts as well as suEXEC for cgi-scripts implement ufs_acl so that the www (Web Server) user can access any user directory Add a ufs_acl to the Web users home directory which says: read-write-exec only from $owner and www Those rights should have priority on any traditional unix file system rights. - For the user's own security, prevent them from writing to /tmp Solution: add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here) - As much as possible, web users should have a limited view of the systems Solution: use the follwing sysctl variable security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf) jail_web_devfs_enable="YES" jail_web_devfs_ruleset="devfsrules_jail" - Web users and executed web scripts shouldn't be able to read important system files Solution: use ufs_acl to prevent the users from accessing the following: /boot /root /sbin /usr/sbin /usr/local/sbin /var /etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/) /usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap) Those rights should have priority on any traditional unix file system rights. I could make a longer list, this one's just ot get started. I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already? - Web users should be able to access their own crontab Solution: use ufs_acl to give rights to the crontab directory - Web users should be able to send emails Solution: use ufs_acl to give rights to the mail spool - Web users shouldn't be able to install binaries but still be able to install CGi scripts This is where I do not have a solution. Has anyone implemented such policy? This setup gives a lot of rights to the users, which is good for a flexible hosting. This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users. ** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better. ** Suggestion on this would be highly appreciated. Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting. All the best, -- Alexis Susset
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E6A3BDDE-909D-4217-A773-9C8106358CD2>