ACL EXAMPLE: apache/php/perl/mysql/multiple users

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

ACL EXAMPLE: apache/php/perl/mysql/multiple users

Postby xrath » Thu Jun 16, 2005 9:52 am

So I've just finished getting my ACL's so they don't produce lots of errors in normal everyday use - which probably means they're full of holes lol ;)

I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.

Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only). This allows backups to run as non-root and also apache to read files in the user's home dir even though it doesn't (normally) have access to it. All home dirs are chmod 700.

I've also used iptables to map ports 80 and 443 to 2080 and 1443 which allows the main apache server (static) to run an non-root on startup.

Blackadder's policy file: click here
Baldrick's policy file: click here

Love to hear all your comments and views on this - especially spender ;)
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Postby Joel » Sat Sep 10, 2005 8:12 pm

Never thougth this patch would be used after such a long time, I'm glad it came handy :)

I'll try your ACLs and feeback you as soon as possible.
Joel
 
Posts: 10
Joined: Mon Jun 17, 2002 11:01 am
Location: Argentina, Buenos Aires

Postby spender » Sun Sep 25, 2005 5:02 pm

Looked really good until I got to the end. Instead of giving apps like find and tar explicit privilege for anyone who executes them, use the subject inheritance (or for more fine-grained policy, nested subjects) so that find and tar are only granted privilege when executed through your cron script, which I assume is what you wanted here.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby xrath » Mon Sep 26, 2005 6:49 am

Yea I see what you mean - quite simple to change that. Although the explicit privileges were granted to the "backup" user not anyone.

It's been working in a stable production environment well now for a few months. It's been great being able to adduser and knowing that they can run their own scripts whilst being locked down to their own directory - all without even touching the RBAC policy!
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Postby bartosz » Mon Sep 26, 2005 2:11 pm

I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.



Hi
I am newbe and I am in the midle of reading doc.
I have very similar architecture so your ACL is very interesting for me.
I cant find anything about shoutdown and reboot in your ACL.

From doc

"Administrative programs, such as shutdown or reboot, should require authentication instead of giving everyone the capabilities to run them. You can do this by making an ACL for /sbin/shutdown, and making it hidden to all processes by putting /sbin/shutdown h as an object in your process ACL for /. Then, the only way you can access the special privileges of /sbin/shutdown is by entering administration mode with gradm -a."

Can you tell me which part of your ACL is responsible for that?
bartosz
 
Posts: 11
Joined: Mon Sep 26, 2005 2:03 pm

Postby xrath » Mon Sep 26, 2005 3:06 pm

Personally I just stop all user services and then `gradm -D` when I need to shutdown or restart. Ideally I'd like to create role a role which has only access to shutdown or restart the box (datacenter staff) - but I can't see how it would work without disabling the RBAC system.
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Postby bartosz » Mon Sep 26, 2005 4:02 pm

That is a problem for me. I use SIM http://www.rfxnetworks.com/sim.php
which controls load of server and after reaching critical level it reboots
It happens once per 4-5 months but it is imposible to reboot without disabling gradm
My testing server (rh9) hangs on /sbin/ifdown and reset is required.
I will consider turning off auto - reboot in SIM config.
bartosz
 
Posts: 11
Joined: Mon Sep 26, 2005 2:03 pm

Postby Lord_Pinhead » Thu Nov 24, 2005 7:49 pm

I got a better problem. When i start 'gradm -F -L /etc/grsec/lernlogs' my Server crashes, after the crash i can´t do anything, except of push the reset button. I use Kernel 2.6.11.2 + GRSec (dont ask for the version) and gradm. At the time i build up the System, it was the newest Patch and gradm to use, i dont use the Debian Packets. Does anyone got the same Problem or any clue how to solve it?

Btw.: I dont start the Learning mode becouse i moved to a new appartment, after that i never start my gameserver util now.

MFG
Lord Pinhead
Lord_Pinhead
 
Posts: 2
Joined: Thu Nov 24, 2005 7:10 pm

Re: ACL EXAMPLE: apache/php/perl/mysql/multiple users

Postby Hue-Bond » Tue Feb 28, 2006 5:50 pm

xrath wrote:Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only).


So, everyone can read '/etc/shadow'. Oh, of course, the ACL does not allow this but, what about '/etc/shadow-'?

In blackadder policy I see that the role webuser has full read access to /etc. Since the comment above says that it's designed to let users run Perl, I bet one can do:

open my $fd, '<', '/etc/shadow-' or die "open: $!";
print <$fd>;
close $fd;

Or am I missing something?
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby xrath » Wed Mar 01, 2006 6:43 am

Well yes, in that policy any user or process which is granted read access to /etc/shadow- along with CAP_DAC_READ_SEARCH in the RBAC system could read the file. In that policy this is only granted to the backup user which needs to have read access to everything anyway.

My $bad_etc list has long since been updated to include shadow-, not that it really poses much of a risk since nothing has read access to it anyway (except backup)!
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Postby Hue-Bond » Wed Mar 01, 2006 8:13 am

xrath wrote:In that policy this is only granted to the backup user which needs to have read access to everything anyway.


I don't think so:

Code: Select all
role webuser g
subject / {          ## subject /, ie every program
    /etc                            r
    /lib                            rx
    /proc                           r
    /usr/bin                        rx
    /usr/lib                        rx
}
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby xrath » Wed Mar 01, 2006 8:27 am

webuser doesn't have CAP_DAC_READ_SEARCH capabilities meaning that both RBAC/ACL and standard file system restrictions apply.
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Postby Hue-Bond » Wed Mar 01, 2006 12:39 pm

xrath wrote:webuser doesn't have CAP_DAC_READ_SEARCH capabilities


Right. I initially understood that servers had been patched so everyone had that cap.
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby xrath » Wed Mar 01, 2006 12:42 pm

Hell no!
xrath
 
Posts: 12
Joined: Sun Nov 16, 2003 12:02 pm

Re: ACL EXAMPLE: apache/php/perl/mysql/multiple users

Postby taheria » Thu Sep 04, 2008 2:15 pm

I cant get to the policies from the original posters link, does anyone have a good policy for a web server?
taheria
 
Posts: 2
Joined: Fri Aug 22, 2008 6:21 pm


Return to RBAC policy development

cron