Secure shared web hosting using MAC Framework

Alexis Susset admin at munai.com
Sun Feb 18 14:20:51 UTC 2007 

Hi all,

I am looking at securing a web server using the FreeBSD MAC Framework.

To make things clear I will call the hosted users "web users". Those  
are the issues I am dealing with:

** Network Security **
- Web users shouldn't be able to connect to reserved local ports  
apart from 25(smtp); 80(http); 443(https) and 3306(MySQL)
    Solution:
	run the web server and web users shell in a jail, use ipfw to limit  
the jail access to localhost
	Those are the rules I have set:
		${fwcmd} add 60 pass ip from any to any dst-port 25 jail 1 via lo0
		${fwcmd} add 61 pass ip from any to any dst-port 80 jail 1 via lo0
		${fwcmd} add 62 pass ip from any to any dst-port 443 jail 1 via lo0
		${fwcmd} add 63 pass ip from any to any dst-port 3306 jail 1 via lo0
		${fwcmd} add 80 deny ip from any to any jail 1 via lo0
	Here, I allow 80 and 443 in case the users want to locally use some  
web APi. MySQL and smtp use are obvious.

- Web users shouldn't be able to open any socket, but, they should  
still be able to connect to the outside
     This is where I do not have a solution.
	I think the use of mac_bsdextended would work here, but there are no  
clear way of doing this.
	Anyone has a good configuration in place ?


** Resources Security **
     Solution:
	This is a straight forward one, configure login.conf and the virtual  
hosts with resources limits.
	This can be adjusted for specific user who may need more than usual.


** File System Security **
- Jail Security
     Solution:
	Build the jail with only required files, this is done via make.conf
	Deny access

- Web users and executed web scripts shouldn't be able to read other  
users data
     Solution:
	run suPHP for php scripts as well as suEXEC for cgi-scripts
	implement ufs_acl so that the www (Web Server) user can access any  
user directory
	Add a ufs_acl to the Web users home directory which says:
		read-write-exec only from $owner and www
	Those rights should have priority on any traditional unix file  
system rights.

- For the user's own security, prevent them from writing to /tmp
     Solution:
	add a ufs_acl rule to /tmp, this should be read only (for mysql  
socket and other things that might reside here)

- As much as possible, web users should have a limited view of the  
systems
    Solution:
	use the follwing sysctl variable
		security.bsd.see_other_uids=0
		security.bsd.unprivileged_read_msgbuf=0
	Since the web users are in a jail, set restricted devfs ruleset  
(this is easily done via rc.conf)
		jail_web_devfs_enable="YES"
		jail_web_devfs_ruleset="devfsrules_jail"

- Web users and executed web scripts shouldn't be able to read  
important system files
     Solution:
	use ufs_acl to prevent the users from accessing the following:
		/boot /root
		/sbin /usr/sbin /usr/local/sbin
		/var
		/etc/(apart from resolv.conf, group, hosts, pwd.db, nsswitch.conf,  
services, mailer.conf, ssh/ssh_config and mail/)
		/usr/local/etc (appart from tools/configs which are normally  
required by the user. eg: nss-ldap)
	Those rights should have priority on any traditional unix file  
system rights.
	I could make a longer list, this one's just ot get started.
	I am sure there's a better way to do that, maybe a MAC ruleset  
already exists for that, has anyone done that already?

- Web users should be able to access their own crontab
     Solution: use ufs_acl to give rights to the crontab directory

- Web users should be able to send emails
     Solution: use ufs_acl to give rights to the mail spool

- Web users shouldn't be able to install binaries but still be able  
to install CGi scripts
     This is where I do not have a solution.
	Has anyone implemented such policy?


This setup gives a lot of rights to the users, which is good for a  
flexible hosting.
This gives a lot of available tools to the users as well as the  
possibility to have a wide open php.ini (let's say register_gobals  
stays off). And thanks to suPHP, you can even make multiple php.ini  
for different users.


** What i am looking for is a simpler solution to the file system  
security. ufs_acl is difficult to implement, so perhaps the use of a  
MAC module would be better.
** Suggestion on this would be highly appreciated.


Those are my thoughts on the subject, do not hesitate to let me know  
if you have comments and/or better ideas on how to make a secure  
setup for shared web hosting.

All the best,
--
Alexis Susset

More information about the freebsd-security mailing list