MAC policies and shared hosting
Borja Marcos
BORJAMAR at SARENET.ES
Wed May 3 13:49:42 UTC 2006
Hello,
I've been looking at the different MAC modules available and how they
cold help to implement a less insecure than usual shared hosting web
server.
I've not been able to come up with a suitable configuration, looking
at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC
module with the following policies could be very useful for such an
environment. Have I missed anything? Has something similar been done?
The module would (roughly) work as follows:
Defining security levels in a similar way to mac_mls or mac_biba,
we define a range of uids as sysctl variables to be used as
"compartiments". For example,
mac.mac_uids.lowuid
mac.mac_uids.highid
And it would be implemented so that:
Below a given security level, (mac.mac_uids.enforce_below)
- Any operation of a subject with uid x (between lowuid and highuid)
on an object with uid y (between lowuid and highuid) would fail.
- A subject with a given security level could not modify an object
with a higher security level.
This, combined with a chroot tree would (I think) be much better than
the typical solutions available. The webserver process would be
launched as a low-security subject, and it is assumed that it would
make a setuid() before launching a CGI process. And perhaps it
wouldn't be so hard to modify an existing webserver so that it
changed the uid when serving a page associated with a virtual server,
adding a uid parameter to virtual servers.
What do you think? Ideas? (This is only a quick and dirty idea)
Borja.
More information about the freebsd-security
mailing list