Date: Wed, 3 May 2006 15:49:39 +0200 From: Borja Marcos <BORJAMAR@SARENET.ES> To: freebsd-security@freebsd.org Subject: MAC policies and shared hosting Message-ID: <CB6E482F-221F-4D31-8814-BF4A23D3E19E@SARENET.ES>
next in thread | raw e-mail | index | archive | help
Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba, we define a range of uids as sysctl variables to be used as "compartiments". For example, mac.mac_uids.lowuid mac.mac_uids.highid And it would be implemented so that: Below a given security level, (mac.mac_uids.enforce_below) - Any operation of a subject with uid x (between lowuid and highuid) on an object with uid y (between lowuid and highuid) would fail. - A subject with a given security level could not modify an object with a higher security level. This, combined with a chroot tree would (I think) be much better than the typical solutions available. The webserver process would be launched as a low-security subject, and it is assumed that it would make a setuid() before launching a CGI process. And perhaps it wouldn't be so hard to modify an existing webserver so that it changed the uid when serving a page associated with a virtual server, adding a uid parameter to virtual servers. What do you think? Ideas? (This is only a quick and dirty idea) Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CB6E482F-221F-4D31-8814-BF4A23D3E19E>