MAC policies and shared hosting

[Borja Marcos]

Hello,

I've been looking at the different MAC modules available and how they  
cold help to implement a less insecure than usual shared hosting web  
server.

I've not been able to come up with a suitable configuration, looking  
at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC  
module with the following policies could be very useful for such an  
environment. Have I missed anything? Has something similar been done?

The module would (roughly) work as follows:

Defining security levels in a similar way to mac_mls or mac_biba,

we define a range of uids as sysctl variables to be used as  
"compartiments". For example,

mac.mac_uids.lowuid
mac.mac_uids.highid

And it would be implemented so that:

Below a given security level, (mac.mac_uids.enforce_below)

- Any operation of a subject with uid x (between lowuid and highuid)  
on an object with uid y (between lowuid and highuid) would fail.

- A subject with a given security level could not modify an object  
with a higher security level.

This, combined with a chroot tree would (I think) be much better than  
the typical solutions available. The webserver process would be  
launched as a low-security subject, and it is assumed that it would  
make a setuid() before launching a CGI process. And perhaps it  
wouldn't be so hard to modify an existing webserver so that it  
changed the uid when serving a page associated with a virtual server,  
adding a uid parameter to virtual servers.

What do you think? Ideas? (This is only a quick and dirty idea)







Borja.