From owner-freebsd-security@FreeBSD.ORG Sun Feb 25 10:26:10 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BFD316A403; Sun, 25 Feb 2007 10:26:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from home.quip.cz (grimm.quip.cz [213.220.192.218]) by mx1.freebsd.org (Postfix) with ESMTP id 1749413C49D; Sun, 25 Feb 2007 10:26:09 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.1.2] (qwork.quip.test [192.168.1.2]) by home.quip.cz (Postfix) with ESMTP id 163F962F7; Sun, 25 Feb 2007 11:06:42 +0100 (CET) Message-ID: <45E15FB1.90906@quip.cz> Date: Sun, 25 Feb 2007 11:06:41 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: idiotbg@gmail.com References: <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> <200702212218.19806.idiotbg@gmail.com> In-Reply-To: <200702212218.19806.idiotbg@gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Stanislav Sedov , Alexis Susset , freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 10:26:10 -0000 Momchil Ivanov wrote: [...] >>> >>>>- Web users and executed web scripts shouldn't be able to read other >>>>users data >>>> Solution: >>>> run suPHP for php scripts as well as suEXEC for cgi-scripts >>>> implement ufs_acl so that the www (Web Server) user can access any >>>>user directory >>>> Add a ufs_acl to the Web users home directory which says: >>>> read-write-exec only from $owner and www >>>> Those rights should have priority on any traditional unix file >>>>system rights. >>> >>>I believe the suphp will be a amazingly slow solution as it executes >>>php executable on each request, IIRC. Thus, the speed will not be >>>faster then php in cgi. >> >>But is there any way to disbale related php functions? is there any well >>defined configuration examples for mod_php? > > > Is this what you are looking for: > http://www.php.net/manual/en/features.safe-mode.php > > > disable_functions string > > This directive allows you to disable certain functions for security reasons. > It takes on a comma-delimited list of function names. disable_functions is > not affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > disable_classes string > > This directive allows you to disable certain classes for security reasons. It > takes on a comma-delimited list of class names. disable_classes is not > affected by Safe Mode. > > This directive must be set in php.ini For example, you cannot set this in > httpd.conf. > [...] There is PHP extension for better security called Suhosin. After installation of this extension you have better control of what you want to disable, or enable. http://www.hardened-php.net/suhosin/configuration.html Author of this extension was developer in PHP security team. Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Sun Feb 25 11:17:10 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9391C16A400 for ; Sun, 25 Feb 2007 11:17:10 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 3CF1713C428 for ; Sun, 25 Feb 2007 11:17:09 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 2CC642D4A98; Sun, 25 Feb 2007 11:17:09 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 116471141E; Sun, 25 Feb 2007 12:17:09 +0100 (CET) Date: Sun, 25 Feb 2007 12:17:08 +0100 From: "Simon L. Nielsen" To: Momchil Ivanov Message-ID: <20070225111708.GA978@zaphod.nitro.dk> References: <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> <200702212218.19806.idiotbg@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline In-Reply-To: <200702212218.19806.idiotbg@gmail.com> User-Agent: Mutt/1.5.11 Cc: Stanislav Sedov , Alexis Susset , freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 11:17:10 -0000 --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007.02.21 22:18:15 +0100, Momchil Ivanov wrote: > > But is there any way to disbale related php functions? is there any well > > defined configuration examples for mod_php? >=20 > Is this what you are looking for:=20 > http://www.php.net/manual/en/features.safe-mode.php You should not rely on PHP safe mode and related features working since it's broken by design. There is a reason this was added to the default php.ini on FreeBSD: SECURITY NOTE: The FreeBSD Security Officer strongly recommend that the PHP Safe Mode feature not be relied upon for security, since the issues Safe Mode tries to handle cannot properly be handled in PHP (primarily due to PHP's use of external libraries). While many bugs in Safe Mode has been fixed it's very likely that more issues exist which allows a user to bypass Safe Mode restrictions. For increased security we always recommend to install the Suhosin extension. Running untrusted code in PHP just as unsafe as any other untrusted program on your system. It can be OK to use safe mode related features as an extra layer of trouble an attacker has to get through, but you should still treat the setup as though the safe mode stuff isn't there and assume people can break it. See also http://www.vuxml.org/freebsd/pkg-php5.html for more information on why safe mode shouldn't be trusted. --=20 Simon L. Nielsen FreeBSD Security Team --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF4XAzBJx0gP90kKsRAjMZAKCBTOMuL7CQFjJcWp78XU+T9lB+iQCeJZx5 k7+L5JTZDfTqdNUk5lq0TiM= =T/lw -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- From owner-freebsd-security@FreeBSD.ORG Sun Feb 25 11:35:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8540C16A403 for ; Sun, 25 Feb 2007 11:35:42 +0000 (UTC) (envelope-from jberg@jberg.pp.se) Received: from mail.uni-q.se (socket.uni-q.se [193.108.196.77]) by mx1.freebsd.org (Postfix) with ESMTP id 4318113C4AA for ; Sun, 25 Feb 2007 11:35:41 +0000 (UTC) (envelope-from jberg@jberg.pp.se) Received: from break.uni-q.se ([193.108.196.49]:58621 helo=webmail.uni-q.se) by mail.uni-q.se with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.63 #1) id 1HLHKi-0007Nt-Pj; Sun, 25 Feb 2007 12:14:28 +0100 Received: from 213.66.132.131 (SquirrelMail authenticated user m00036) by webmail.uni-q.se with HTTP; Sun, 25 Feb 2007 12:14:24 +0100 (CET) Message-ID: <1336.213.66.132.131.1172402064.squirrel@webmail.uni-q.se> In-Reply-To: <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> Date: Sun, 25 Feb 2007 12:14:24 +0100 (CET) From: "Johan Berg" To: "David Schulz" User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Authenticated-As: X-Scan-Signature: 7cead026102690c34d275c9e5d8cd66b Cc: freebsd-security@freebsd.org Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 11:35:42 -0000 The FreeBSD Handbook also have some good tips: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html Regards, -- Johan Berg On Fri, February 23, 2007 17:17, David Schulz wrote: > Hello and good day, > > i have setup a Server which is directly connected to the Internet, > without NAT-Router or other Firewall Appliance. I am using FreeBSD > 6.2. I have pf enabled to only allow traffic on specified Ports. I am > using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There > is only one /home/User, which authenticates via a Key with Pass- > phrase to sshd. The Mail-users all authenticate to a mysql database. > I know that i could make use of chroot or better jail to secure the > machine from possible exploits in postfix & co, but i am not yet > comfortable with jail. Other then keeping my Ports (and system) up to > date, can you give me some tips on how to secure my Box a little bit? > > Thanks a lot, > David > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Johan Berg From owner-freebsd-security@FreeBSD.ORG Mon Feb 26 03:57:30 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A696116A402 for ; Mon, 26 Feb 2007 03:57:30 +0000 (UTC) (envelope-from duane@dwlabs.ca) Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30]) by mx1.freebsd.org (Postfix) with ESMTP id 6B82913C48E for ; Mon, 26 Feb 2007 03:57:30 +0000 (UTC) (envelope-from duane@dwlabs.ca) Received: from ip04.eastlink.ca ([24.222.10.20]) by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0JE10024DW9J5TA1@mta01.eastlink.ca> for freebsd-security@freebsd.org; Sun, 25 Feb 2007 23:27:19 -0400 (AST) Received: from blk-224-199-230.eastlink.ca (HELO dwpc.dwlabs.ca) ([24.224.199.230]) by ip04.eastlink.ca with ESMTP; Sun, 25 Feb 2007 23:27:28 -0400 Received: from dwpc.dwlabs.ca (mail.dwlabs.ca [192.168.0.10]) by dwpc.dwlabs.ca (8.13.8/8.13.8) with ESMTP id l1Q3On5F073076; Sun, 25 Feb 2007 23:24:55 -0400 (AST envelope-from duane@dwpc.dwlabs.ca) Received: (from duane@localhost) by dwpc.dwlabs.ca (8.13.8/8.13.8/Submit) id l1Q3OnD2073075; Sun, 25 Feb 2007 23:24:49 -0400 (AST envelope-from duane) Date: Sun, 25 Feb 2007 23:24:49 -0400 From: Duane Whitty In-reply-to: <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> To: David Schulz Message-id: <20070226032449.GA72966@dwpc.dwlabs.ca> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8CABzi4UUY4MfmdGdsb2JhbACjHwEBAQ X-IronPort-AV: i="4.14,217,1170648000"; d="scan'208"; a="132686057:sNHT57710790" X-Virus-Scanned: ClamAV 0.88.6/2649/Sun Feb 25 04:10:41 2007 on dwpc.dwlabs.ca X-Virus-Status: Clean X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on dwpc.dwlabs.ca References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> User-Agent: Mutt/1.4.2.2i X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.1.4 Cc: freebsd-security@freebsd.org Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: duane@dwlabs.ca List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 03:57:30 -0000 On Sat, Feb 24, 2007 at 12:17:00AM +0800, David Schulz wrote: > Hello and good day, > > i have setup a Server which is directly connected to the Internet, > without NAT-Router or other Firewall Appliance. I am using FreeBSD > 6.2. I have pf enabled to only allow traffic on specified Ports. I am > using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There > is only one /home/User, which authenticates via a Key with Pass- > phrase to sshd. The Mail-users all authenticate to a mysql database. > I know that i could make use of chroot or better jail to secure the > machine from possible exploits in postfix & co, but i am not yet > comfortable with jail. Other then keeping my Ports (and system) up to > date, can you give me some tips on how to secure my Box a little bit? > > Thanks a lot, > David Hi David, Perhaps the following URI would be of interest: http://www.modsecurity.org/ I've been considering this tool myslef. I am not using it as of yet. Best Regards, Duane From owner-freebsd-security@FreeBSD.ORG Thu Mar 1 14:01:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1396116A401 for ; Thu, 1 Mar 2007 14:01:19 +0000 (UTC) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.freebsd.org (Postfix) with ESMTP id 8C9A413C48E for ; Thu, 1 Mar 2007 14:01:18 +0000 (UTC) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id l21DMWCb008949; Thu, 1 Mar 2007 23:22:32 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.6/8.13.6) with ESMTP id l21DMT0I067608; Thu, 1 Mar 2007 23:22:32 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200703011322.l21DMT0I067608@app.auscert.org.au> To: "Johan Berg" from: freebsd-security@auscert.org.au In-Reply-To: Message from "Johan Berg" of "Sun, 25 Feb 2007 12:14:24 +0100." <1336.213.66.132.131.1172402064.squirrel@webmail.uni-q.se> Date: Thu, 01 Mar 2007 23:22:29 +1000 Cc: David Schulz , freebsd-security@freebsd.org Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2007 14:01:19 -0000 On Sun, 25 Feb 2007 12:14:24 +0100 (CET), "Johan Berg" wrote: >The FreeBSD Handbook also have some good tips: > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html > > >Regards, > >-- Johan Berg Also, man SECURITY(7) cheers, joel