Hi all,
I am looking at securing a web server using the FreeBSD MAC Framework.
To make things clear I will call the hosted users "web users". Those
are the issues I am dealing with:
** Network Security **
- Web users shouldn't be able to connect to reserved local ports apart from
25(smtp); 80(http); 443(https) and 3306(MySQL)
Solution:
run the web server and web users shell in a jail, use ipfw to limit the jail
access to localhost
Those are the rules I have set:
${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0
${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0
${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0
${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0
${fwcmd} add 80 deny ip from any to any jail 1 via lo0
Here, I allow 80 and 443 in case the users want to locally use some web APi.
MySQL and smtp use are obvious.
- Web users shouldn't be able to open any socket, but, they should still be
able to connect to the outside
This is where I do not have a solution.
I think the use of mac_bsdextended would work here, but there are no clear way
of doing this.
Anyone has a good configuration in place ?
** Resources Security **
Solution:
This is a straight forward one, configure login.conf and the virtual hosts with
resources limits.
This can be adjusted for specific user who may need more than usual.
** File System Security **
- Jail Security
Solution:
Build the jail with only required files, this is done via make.conf
Deny access
- Web users and executed web scripts shouldn't be able to read other users
data
Solution:
run suPHP for php scripts as well as suEXEC for cgi-scripts
implement ufs_acl so that the www (Web Server) user can access any user
directory
Add a ufs_acl to the Web users home directory which says:
read-write-exec only from $owner and www
Those rights should have priority on any traditional unix file system rights.
- For the user's own security, prevent them from writing to /tmp
Solution:
add a ufs_acl rule to /tmp, this should be read only (for mysql socket and
other things that might reside here)
- As much as possible, web users should have a limited view of the systems
Solution:
use the follwing sysctl variable
security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
Since the web users are in a jail, set restricted devfs ruleset (this is easily
done via rc.conf)
jail_web_devfs_enable="YES"
jail_web_devfs_ruleset="devfsrules_jail"
- Web users and executed web scripts shouldn't be able to read important
system files
Solution:
use ufs_acl to prevent the users from accessing the following:
/boot /root
/sbin /usr/sbin /usr/local/sbin
/var
/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services,
mailer.conf, ssh/ssh_config and mail/)
/usr/local/etc (appart from tools/configs which are normally required by the
user. eg: nss-ldap)
Those rights should have priority on any traditional unix file system rights.
I could make a longer list, this one's just ot get started.
I am sure there's a better way to do that, maybe a MAC ruleset already
exists for that, has anyone done that already?
- Web users should be able to access their own crontab
Solution: use ufs_acl to give rights to the crontab directory
- Web users should be able to send emails
Solution: use ufs_acl to give rights to the mail spool
- Web users shouldn't be able to install binaries but still be able to
install CGi scripts
This is where I do not have a solution.
Has anyone implemented such policy?
This setup gives a lot of rights to the users, which is good for a flexible
hosting.
This gives a lot of available tools to the users as well as the possibility to
have a wide open php.ini (let's say register_gobals stays off). And thanks
to suPHP, you can even make multiple php.ini for different users.
** What i am looking for is a simpler solution to the file system security.
ufs_acl is difficult to implement, so perhaps the use of a MAC module would be
better.
** Suggestion on this would be highly appreciated.
Those are my thoughts on the subject, do not hesitate to let me know if you have
comments and/or better ideas on how to make a secure setup for shared web
hosting.
All the best,
--
Alexis Susset
Hi all,
I am looking at securing a web server using the FreeBSD MAC Framework.
To make things clear I will call the hosted users "web users". Those
are the issues I am dealing with:
** Network Security **
- Web users shouldn't be able to connect to reserved local ports
apart from 25(smtp); 80(http); 443(https) and 3306(MySQL)
Solution:
run the web server and web users shell in a jail, use ipfw to limit
the jail access to localhost
Those are the rules I have set:
${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0
${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0
${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0
${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0
${fwcmd} add 80 deny ip from any to any jail 1 via lo0
Here, I allow 80 and 443 in case the users want to locally use some
web APi. MySQL and smtp use are obvious.
- Web users shouldn't be able to open any socket, but, they should
still be able to connect to the outside
This is where I do not have a solution.
I think the use of mac_bsdextended would work here, but there are no
clear way of doing this.
Anyone has a good configuration in place ?
** Resources Security **
Solution:
This is a straight forward one, configure login.conf and the virtual
hosts with resources limits.
This can be adjusted for specific user who may need more than usual.
** File System Security **
- Jail Security
Solution:
Build the jail with only required files, this is done via make.conf
Deny access
- Web users and executed web scripts shouldn't be able to read other
users data
Solution:
run suPHP for php scripts as well as suEXEC for cgi-scripts
implement ufs_acl so that the www (Web Server) user can access any
user directory
Add a ufs_acl to the Web users home directory which says:
read-write-exec only from $owner and www
Those rights should have priority on any traditional unix file
system rights.
- For the user's own security, prevent them from writing to /tmp
Solution:
add a ufs_acl rule to /tmp, this should be read only (for mysql
socket and other things that might reside here)
- As much as possible, web users should have a limited view of the
systems
Solution:
use the follwing sysctl variable
security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
Since the web users are in a jail, set restricted devfs ruleset
(this is easily done via rc.conf)
jail_web_devfs_enable="YES"
jail_web_devfs_ruleset="devfsrules_jail"
- Web users and executed web scripts shouldn't be able to read
important system files
Solution:
use ufs_acl to prevent the users from accessing the following:
/boot /root
/sbin /usr/sbin /usr/local/sbin
/var
/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf,
services, mailer.conf, ssh/ssh_config and mail/)
/usr/local/etc (appart from tools/configs which are normally
required by the user. eg: nss-ldap)
Those rights should have priority on any traditional unix file
system rights.
I could make a longer list, this one's just ot get started.
I am sure there's a better way to do that, maybe a MAC ruleset
already exists for that, has anyone done that already?
- Web users should be able to access their own crontab
Solution: use ufs_acl to give rights to the crontab directory
- Web users should be able to send emails
Solution: use ufs_acl to give rights to the mail spool
- Web users shouldn't be able to install binaries but still be able
to install CGi scripts
This is where I do not have a solution.
Has anyone implemented such policy?
This setup gives a lot of rights to the users, which is good for a
flexible hosting.
This gives a lot of available tools to the users as well as the
possibility to have a wide open php.ini (let's say register_gobals
stays off). And thanks to suPHP, you can even make multiple php.ini
for different users.
** What i am looking for is a simpler solution to the file system
security. ufs_acl is difficult to implement, so perhaps the use of a
MAC module would be better.
** Suggestion on this would be highly appreciated.
Those are my thoughts on the subject, do not hesitate to let me know
if you have comments and/or better ideas on how to make a secure
setup for shared web hosting.
All the best,
--
Alexis Susset