Page 1 of 1

ACL EXAMPLE: apache/php/perl/mysql/multiple users

PostPosted: Thu Jun 16, 2005 9:52 am
by xrath
So I've just finished getting my ACL's so they don't produce lots of errors in normal everyday use - which probably means they're full of holes lol ;)

I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.

Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only). This allows backups to run as non-root and also apache to read files in the user's home dir even though it doesn't (normally) have access to it. All home dirs are chmod 700.

I've also used iptables to map ports 80 and 443 to 2080 and 1443 which allows the main apache server (static) to run an non-root on startup.

Blackadder's policy file: click here
Baldrick's policy file: click here

Love to hear all your comments and views on this - especially spender ;)

PostPosted: Sat Sep 10, 2005 8:12 pm
by Joel
Never thougth this patch would be used after such a long time, I'm glad it came handy :)

I'll try your ACLs and feeback you as soon as possible.

PostPosted: Sun Sep 25, 2005 5:02 pm
by spender
Looked really good until I got to the end. Instead of giving apps like find and tar explicit privilege for anyone who executes them, use the subject inheritance (or for more fine-grained policy, nested subjects) so that find and tar are only granted privilege when executed through your cron script, which I assume is what you wanted here.

-Brad

PostPosted: Mon Sep 26, 2005 6:49 am
by xrath
Yea I see what you mean - quite simple to change that. Although the explicit privileges were granted to the "backup" user not anyone.

It's been working in a stable production environment well now for a few months. It's been great being able to adduser and knowing that they can run their own scripts whilst being locked down to their own directory - all without even touching the RBAC policy!

PostPosted: Mon Sep 26, 2005 2:11 pm
by bartosz
I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.



Hi
I am newbe and I am in the midle of reading doc.
I have very similar architecture so your ACL is very interesting for me.
I cant find anything about shoutdown and reboot in your ACL.

From doc

"Administrative programs, such as shutdown or reboot, should require authentication instead of giving everyone the capabilities to run them. You can do this by making an ACL for /sbin/shutdown, and making it hidden to all processes by putting /sbin/shutdown h as an object in your process ACL for /. Then, the only way you can access the special privileges of /sbin/shutdown is by entering administration mode with gradm -a."

Can you tell me which part of your ACL is responsible for that?

PostPosted: Mon Sep 26, 2005 3:06 pm
by xrath
Personally I just stop all user services and then `gradm -D` when I need to shutdown or restart. Ideally I'd like to create role a role which has only access to shutdown or restart the box (datacenter staff) - but I can't see how it would work without disabling the RBAC system.

PostPosted: Mon Sep 26, 2005 4:02 pm
by bartosz
That is a problem for me. I use SIM http://www.rfxnetworks.com/sim.php
which controls load of server and after reaching critical level it reboots
It happens once per 4-5 months but it is imposible to reboot without disabling gradm
My testing server (rh9) hangs on /sbin/ifdown and reset is required.
I will consider turning off auto - reboot in SIM config.

PostPosted: Thu Nov 24, 2005 7:49 pm
by Lord_Pinhead
I got a better problem. When i start 'gradm -F -L /etc/grsec/lernlogs' my Server crashes, after the crash i can´t do anything, except of push the reset button. I use Kernel 2.6.11.2 + GRSec (dont ask for the version) and gradm. At the time i build up the System, it was the newest Patch and gradm to use, i dont use the Debian Packets. Does anyone got the same Problem or any clue how to solve it?

Btw.: I dont start the Learning mode becouse i moved to a new appartment, after that i never start my gameserver util now.

MFG
Lord Pinhead

Re: ACL EXAMPLE: apache/php/perl/mysql/multiple users

PostPosted: Tue Feb 28, 2006 5:50 pm
by Hue-Bond
xrath wrote:Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only).


So, everyone can read '/etc/shadow'. Oh, of course, the ACL does not allow this but, what about '/etc/shadow-'?

In blackadder policy I see that the role webuser has full read access to /etc. Since the comment above says that it's designed to let users run Perl, I bet one can do:

open my $fd, '<', '/etc/shadow-' or die "open: $!";
print <$fd>;
close $fd;

Or am I missing something?

PostPosted: Wed Mar 01, 2006 6:43 am
by xrath
Well yes, in that policy any user or process which is granted read access to /etc/shadow- along with CAP_DAC_READ_SEARCH in the RBAC system could read the file. In that policy this is only granted to the backup user which needs to have read access to everything anyway.

My $bad_etc list has long since been updated to include shadow-, not that it really poses much of a risk since nothing has read access to it anyway (except backup)!

PostPosted: Wed Mar 01, 2006 8:13 am
by Hue-Bond
xrath wrote:In that policy this is only granted to the backup user which needs to have read access to everything anyway.


I don't think so:

Code: Select all
role webuser g
subject / {          ## subject /, ie every program
    /etc                            r
    /lib                            rx
    /proc                           r
    /usr/bin                        rx
    /usr/lib                        rx
}

PostPosted: Wed Mar 01, 2006 8:27 am
by xrath
webuser doesn't have CAP_DAC_READ_SEARCH capabilities meaning that both RBAC/ACL and standard file system restrictions apply.

PostPosted: Wed Mar 01, 2006 12:39 pm
by Hue-Bond
xrath wrote:webuser doesn't have CAP_DAC_READ_SEARCH capabilities


Right. I initially understood that servers had been patched so everyone had that cap.

PostPosted: Wed Mar 01, 2006 12:42 pm
by xrath
Hell no!

Re: ACL EXAMPLE: apache/php/perl/mysql/multiple users

PostPosted: Thu Sep 04, 2008 2:15 pm
by taheria
I cant get to the policies from the original posters link, does anyone have a good policy for a web server?