When the Web Goes to Jail David Runge 2019-08-10 Contents Outline - - PowerPoint PPT Presentation

when the web goes to jail
SMART_READER_LITE
LIVE PREVIEW

When the Web Goes to Jail David Runge 2019-08-10 Contents Outline - - PowerPoint PPT Presentation

Nov 07, 2022 174 likes •414 views

When the Web Goes to Jail David Runge 2019-08-10 Contents Outline The Good Old Days Where We Want to Be How We Get There Where We Are Contact Who? Trusted User (2017)/ Developer (2019) Pro-audio, Python tools, web apps

slide-1
SLIDE 1

When the Web Goes to Jail

David Runge 2019-08-10

slide-2
SLIDE 2

Contents

Outline The Good Old Days Where We Want to Be How We Get There Where We Are Contact

slide-3
SLIDE 3

Who?

◮ Trusted User (2017)/ Developer (2019) ◮ Pro-audio, Python tools, web apps ◮ Documentation

slide-4
SLIDE 4

What?

◮ Packaged web applications ◮ Use-case: One or more web applications on single host ◮ Interplay: Web servers, application servers, web applications ◮ Security and best practices ◮ Distribution agnostic ◮ WIP

slide-5
SLIDE 5

The Good Old Days

slide-6
SLIDE 6

Creating users is was hard

◮ Propagating UID/GID pair necessary ◮ Using install file is error-prone ◮ Some permissions can be set in PKGBUILD ◮ Changing user/group non-trivial ◮ Manual chown/chmod after install ◮ /run not packagable

slide-7
SLIDE 7

browser webserver application server webapp1 webapp2 GET /webapp1/ GET /webapp2/ CGI over socket or port

slide-8
SLIDE 8

browser webserver application server webapp1 webapp2 http http http http http http GET /webapp1/ GET /webapp2/ CGI over socket or port

slide-9
SLIDE 9

browser webserver webapp1 webapp2 http http http http http http http http http http http http GET /webapp1/ GET /webapp2/ violation due to e.g. misconfigured root

  • r too permissive access

violation due to e.g. misconfigured root

  • r too permissive access

violation due to e.g. lax open_basedir violation due to e.g. lax open_basedir violation due to e.g. lax open_basedir violation due to e.g. lax open_basedir

slide-10
SLIDE 10

webserver webapp1 webapp2 nobody /run/uwsgi/webapp1.socket /run/uwsgi/webapp2.socket /run/uwsgi/webapp2.socket /run/uwsgi/webapp1.socket /run/uwsgi/webapp1.socket /run/uwsgi/webapp2.socket rw access rw access rw access rw access rw access rw access

slide-11
SLIDE 11

Where We Want to Be

slide-12
SLIDE 12

◮ Stop using the http user for everyhing ◮ A user per web application ◮ Allow write access to local sockets only to web server (and root) ◮ Dissallow read access for everybody else

slide-13
SLIDE 13

browser webserver application server webapp1 webapp2 http webapp1 webapp1 webapp2 webapp2 http GET /webapp1/ GET /webapp2/ CGI over socket or port

slide-14
SLIDE 14

browser webserver webapp1 webapp2 http webapp1 http webapp2 webapp1 webapp2 webserver webapp2 webapp1 webapp2 webserver webapp1 GET /webapp1/ GET /webapp2/

slide-15
SLIDE 15

webserver webapp1 webapp2 nobody /run/webapp1/webapp1.socket /run/webapp2/webapp2.socket /run/uwsgi/webapp2.socket /run/uwsgi/webapp1.socket /run/webapp1/webapp1.socket /run/webapp2/webapp2.socket rw access rw access no access no access no access no access

slide-16
SLIDE 16

How We Get There

slide-17
SLIDE 17

Packaging

◮ Ship users and groups1

man 5 sysusers.d

◮ Ship ownership and permissions, create files and directories (e.g. below /run)2

man 5 tmpfiles.d

◮ DynamicUser, hardening3 (e.g. uwsgi4)

man 5 systemd.exec

◮ Generic permissions/ settings for sockets5 (e.g. uwsgi6)

man 5 systemd.socket

◮ Improve application server packaging (e.g. uwsgi’s sockets and services are too permissive) ◮ Snippets, defaults (e.g. nginx, apache, uwsgi, php-fpm)

1https://www.freedesktop.org/software/systemd/man/sysusers.d.html 2https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html 3https://www.freedesktop.org/software/systemd/man/systemd.exec.html 4https://wiki.archlinux.org/index.php/UWSGI#Hardening_uWSGI_service 5https://www.freedesktop.org/software/systemd/man/systemd.socket.html 6https://wiki.archlinux.org/index.php/UWSGI#Accessibility_of_uWSGI_socket

slide-18
SLIDE 18

Fixing upstreams

◮ PHP calling PHP and not honoring configuration (e.g. cacti) ◮ Web applications with write-tentacles all over the filesystems (e.g. librenms)

slide-19
SLIDE 19

Documentation

◮ Update packaging guidelines for webapps7 ◮ Extend information on (best practices for) php-fpm (there’s no dedicated wiki page) ◮ Extend information on (best practices for) uwsgi8 ◮ Revise wiki pages for webapps, removing bizarre suggestions (e.g. “just let http own all files”), pointing to php-fpm/ uwsgi

7https://wiki.archlinux.org/index.php/Web_application_package_guidelines 8https://wiki.archlinux.org/index.php/UWSGI

slide-20
SLIDE 20

Where We Are

slide-21
SLIDE 21

◮ Lots of legacy/ redundancy - room for improvement ◮ Scattered information (or information in the wrong places) ◮ Example web apps: cacti9, librenms10, mantisbt11, postfixadmin12 ◮ Time for a TODO13 to fix all of them

9https://www.archlinux.org/packages/community/any/cacti/ 10https://aur.archlinux.org/packages/librenms/ 11https://aur.archlinux.org/packages/mantisbt/ 12https://www.archlinux.org/packages/community/any/postfixadmin/ 13https://www.archlinux.org/todo/

slide-22
SLIDE 22

Contact

David Runge Mail: dave@sleepmap.de XMPP: dvzrv@sleepmap.de IRC: dvzrv@{freenode,hackint,oftc}