Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Feb 2007 06:01:24 -0800
From:      Alexis Susset <alexis_susset@mac.com>
To:        freebsd-security@freebsd.org
Subject:   Secure shared web hosting using MAC Framework
Message-ID:  <0F5FE7C6-0110-1000-A8A9-103194B6EEC0-Webmail-10018@mac.com>

next in thread | raw e-mail | index | archive | help
Hi all,

I am looking at securing a web server using the FreeBSD MAC Framework.

To make things clear I will call the hosted users "web users". Those are the issues I am dealing with:

** Network Security **
- Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL)
   Solution:
	run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost
	Those are the rules I have set:
		${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0
		${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0
		${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0
		${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0
		${fwcmd} add 80 deny ip from any to any jail 1 via lo0
	Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious.

- Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside
    This is where I do not have a solution.
	I think the use of mac_bsdextended would work here, but there are no clear way of doing this.
	Anyone has a good configuration in place ?


** Resources Security **
    Solution:
	This is a straight forward one, configure login.conf and the virtual hosts with resources limits.
	This can be adjusted for specific user who may need more than usual.


** File System Security **
- Jail Security
    Solution:
	Build the jail with only required files, this is done via make.conf
	Deny access

- Web users and executed web scripts shouldn't be able to read other users data
    Solution:
	run suPHP for php scripts as well as suEXEC for cgi-scripts
	implement ufs_acl so that the www (Web Server) user can access any user directory
	Add a ufs_acl to the Web users home directory which says:
		read-write-exec only from $owner and www
	Those rights should have priority on any traditional unix file system rights.

- For the user's own security, prevent them from writing to /tmp
    Solution:
	add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here)

- As much as possible, web users should have a limited view of the systems
   Solution:
	use the follwing sysctl variable
		security.bsd.see_other_uids=0
		security.bsd.unprivileged_read_msgbuf=0
	Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf)
		jail_web_devfs_enable="YES"
		jail_web_devfs_ruleset="devfsrules_jail"

- Web users and executed web scripts shouldn't be able to read important system files
    Solution:
	use ufs_acl to prevent the users from accessing the following:
		/boot /root
		/sbin /usr/sbin /usr/local/sbin
		/var
		/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/)
		/usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap)
	Those rights should have priority on any traditional unix file system rights.
	I could make a longer list, this one's just ot get started.
	I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already?

- Web users should be able to access their own crontab
    Solution: use ufs_acl to give rights to the crontab directory

- Web users should be able to send emails
    Solution: use ufs_acl to give rights to the mail spool

- Web users shouldn't be able to install binaries but still be able to install CGi scripts
    This is where I do not have a solution.
	Has anyone implemented such policy?


This setup gives a lot of rights to the users, which is good for a flexible hosting.
This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users.


** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better.
** Suggestion on this would be highly appreciated.


Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting.

All the best,
--
Alexis Susset



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0F5FE7C6-0110-1000-A8A9-103194B6EEC0-Webmail-10018>