Secure shared web hosting using MAC Framework



Hi all,

I am looking at securing a web server using the FreeBSD MAC Framework.

To make things clear I will call the hosted users "web users". Those are the issues I am dealing with:

** Network Security **
- Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL)
Solution:
run the web server and web users shell in a jail, use ipfw to limit the jail access to localhost
Those are the rules I have set:
${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0
${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0
${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0
${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0
${fwcmd} add 80 deny ip from any to any jail 1 via lo0
Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious.

- Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside
This is where I do not have a solution.
I think the use of mac_bsdextended would work here, but there are no clear way of doing this.
Anyone has a good configuration in place ?


** Resources Security **
Solution:
This is a straight forward one, configure login.conf and the virtual hosts with resources limits.
This can be adjusted for specific user who may need more than usual.


** File System Security **
- Jail Security
Solution:
Build the jail with only required files, this is done via make.conf
Deny access

- Web users and executed web scripts shouldn't be able to read other users data
Solution:
run suPHP for php scripts as well as suEXEC for cgi-scripts
implement ufs_acl so that the www (Web Server) user can access any user directory
Add a ufs_acl to the Web users home directory which says:
read-write-exec only from $owner and www
Those rights should have priority on any traditional unix file system rights.

- For the user's own security, prevent them from writing to /tmp
Solution:
add a ufs_acl rule to /tmp, this should be read only (for mysql socket and other things that might reside here)

- As much as possible, web users should have a limited view of the systems
Solution:
use the follwing sysctl variable
security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf)
jail_web_devfs_enable="YES"
jail_web_devfs_ruleset="devfsrules_jail"

- Web users and executed web scripts shouldn't be able to read important system files
Solution:
use ufs_acl to prevent the users from accessing the following:
/boot /root
/sbin /usr/sbin /usr/local/sbin
/var
/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf, services, mailer.conf, ssh/ssh_config and mail/)
/usr/local/etc (appart from tools/configs which are normally required by the user. eg: nss-ldap)
Those rights should have priority on any traditional unix file system rights.
I could make a longer list, this one's just ot get started.
I am sure there's a better way to do that, maybe a MAC ruleset already exists for that, has anyone done that already?

- Web users should be able to access their own crontab
Solution: use ufs_acl to give rights to the crontab directory

- Web users should be able to send emails
Solution: use ufs_acl to give rights to the mail spool

- Web users shouldn't be able to install binaries but still be able to install CGi scripts
This is where I do not have a solution.
Has anyone implemented such policy?


This setup gives a lot of rights to the users, which is good for a flexible hosting.
This gives a lot of available tools to the users as well as the possibility to have a wide open php.ini (let's say register_gobals stays off). And thanks to suPHP, you can even make multiple php.ini for different users.


** What i am looking for is a simpler solution to the file system security. ufs_acl is difficult to implement, so perhaps the use of a MAC module would be better.
** Suggestion on this would be highly appreciated.


Those are my thoughts on the subject, do not hesitate to let me know if you have comments and/or better ideas on how to make a secure setup for shared web hosting.

All the best,
--
Alexis Susset
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Secure shared web hosting using MAC Framework
    ... To make things clear I will call the hosted users "web users". ... Those rights should have priority on any traditional unix file system rights. ... For the user's own security, prevent them from writing to /tmp ...
    (FreeBSD-Security)
  • Re: CasPol security
    ... any I/O will require access to the file system. ... If the assembly uses declarative security, use PermView to give you a list ... >>Chris Rolon ... > confers no rights. ...
    (microsoft.public.dotnet.framework)
  • Re: folder & file permissions isue
    ... Then went into security and took away everything but read for everyone ... Quite a bit different than Novell rights... ... > File System Rights ... > but Read rights at the file system level, ...
    (microsoft.public.windows.server.networking)
  • Re: Default rights when creating a site
    ... I don't think security can be added as part of the site definition files. ... These are the files that are created in the file system for the choice of ... CREATE SITES in the SITES AREA), only the creator has all rights on ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Replacing files on a IIS Web Server
    ... >I simply try to copy the file on the file system, ... >locked by web users. ... It has a retry you can set if ... Jeff ...
    (microsoft.public.inetserver.misc)