grsecurity forums

[xrath]

So I've just finished getting my ACL's so they don't produce lots of errors in normal everyday use - which probably means they're full of holes lol

I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.

Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only). This allows backups to run as non-root and also apache to read files in the user's home dir even though it doesn't (normally) have access to it. All home dirs are chmod 700.

I've also used iptables to map ports 80 and 443 to 2080 and 1443 which allows the main apache server (static) to run an non-root on startup.

Blackadder's policy file: click here
Baldrick's policy file: click here

Love to hear all your comments and views on this - especially spender

[Joel]

Never thougth this patch would be used after such a long time, I'm glad it came handy

I'll try your ACLs and feeback you as soon as possible.

[spender]

Looked really good until I got to the end. Instead of giving apps like find and tar explicit privilege for anyone who executes them, use the subject inheritance (or for more fine-grained policy, nested subjects) so that find and tar are only granted privilege when executed through your cron script, which I assume is what you wanted here.

-Brad

[xrath]

Yea I see what you mean - quite simple to change that. Although the explicit privileges were granted to the "backup" user not anyone.

It's been working in a stable production environment well now for a few months. It's been great being able to adduser and knowing that they can run their own scripts whilst being locked down to their own directory - all without even touching the RBAC policy!

[bartosz]

I'm running 2 servers:

blackadder is a webserver which hosts the main website and allows multiple users to host their own sites (same as vhosts except I've used mod_userdir instead).

baldrick is a database server which only accepts connections from blackadder. It runs a mysql server.

Hi
I am newbe and I am in the midle of reading doc.
I have very similar architecture so your ACL is very interesting for me.
I cant find anything about shoutdown and reboot in your ACL.

From doc

"Administrative programs, such as shutdown or reboot, should require authentication instead of giving everyone the capabilities to run them. You can do this by making an ACL for /sbin/shutdown, and making it hidden to all processes by putting /sbin/shutdown h as an object in your process ACL for /. Then, the only way you can access the special privileges of /sbin/shutdown is by entering administration mode with gradm -a."

Can you tell me which part of your ACL is responsible for that?

[xrath]

Personally I just stop all user services and then `gradm -D` when I need to shutdown or restart. Ideally I'd like to create role a role which has only access to shutdown or restart the box (datacenter staff) - but I can't see how it would work without disabling the RBAC system.

[bartosz]

That is a problem for me. I use SIM http://www.rfxnetworks.com/sim.php
which controls load of server and after reaching critical level it reboots
It happens once per 4-5 months but it is imposible to reboot without disabling gradm
My testing server (rh9) hangs on /sbin/ifdown and reset is required.
I will consider turning off auto - reboot in SIM config.

[Lord_Pinhead]

I got a better problem. When i start 'gradm -F -L /etc/grsec/lernlogs' my Server crashes, after the crash i can´t do anything, except of push the reset button. I use Kernel 2.6.11.2 + GRSec (dont ask for the version) and gradm. At the time i build up the System, it was the newest Patch and gradm to use, i dont use the Debian Packets. Does anyone got the same Problem or any clue how to solve it?

Btw.: I dont start the Learning mode becouse i moved to a new appartment, after that i never start my gameserver util now.

MFG
Lord Pinhead

[Hue-Bond]

Both servers have been patched to allow subjects with the CAP_DAC_READ_SEARCH capability complete read/search access regardless of what the filesystem permissions are (ACL's control access only).

So, everyone can read '/etc/shadow'. Oh, of course, the ACL does not allow this but, what about '/etc/shadow-'?

In blackadder policy I see that the role webuser has full read access to /etc. Since the comment above says that it's designed to let users run Perl, I bet one can do:

open my $fd, '<', '/etc/shadow-' or die "open: $!";
print <$fd>;
close $fd;

Or am I missing something?

[xrath]

Well yes, in that policy any user or process which is granted read access to /etc/shadow- along with CAP_DAC_READ_SEARCH in the RBAC system could read the file. In that policy this is only granted to the backup user which needs to have read access to everything anyway.

My $bad_etc list has long since been updated to include shadow-, not that it really poses much of a risk since nothing has read access to it anyway (except backup)!

[Hue-Bond]

In that policy this is only granted to the backup user which needs to have read access to everything anyway.

I don't think so:

Code: Select all

role webuser g
subject / {          ## subject /, ie every program
    /etc                            r
    /lib                            rx
    /proc                           r
    /usr/bin                        rx
    /usr/lib                        rx
}


[xrath]

webuser doesn't have CAP_DAC_READ_SEARCH capabilities meaning that both RBAC/ACL and standard file system restrictions apply.

[Hue-Bond]

webuser doesn't have CAP_DAC_READ_SEARCH capabilities

Right. I initially understood that servers had been patched so everyone had that cap.

[xrath]

Hell no!

[taheria]

I cant get to the policies from the original posters link, does anyone have a good policy for a web server?