when the web goes to jail
play

When the Web Goes to Jail David Runge 2019-08-10 Contents Outline - PowerPoint PPT Presentation

Nov 07, 2022 •174 likes •411 views

When the Web Goes to Jail David Runge 2019-08-10 Contents Outline The Good Old Days Where We Want to Be How We Get There Where We Are Contact Who? Trusted User (2017)/ Developer (2019) Pro-audio, Python tools, web apps

  1. When the Web Goes to Jail David Runge 2019-08-10

  2. Contents Outline The Good Old Days Where We Want to Be How We Get There Where We Are Contact

  3. Who? ◮ Trusted User (2017)/ Developer (2019) ◮ Pro-audio, Python tools, web apps ◮ Documentation

  4. What? ◮ Packaged web applications ◮ Use-case: One or more web applications on single host ◮ Interplay: Web servers, application servers, web applications ◮ Security and best practices ◮ Distribution agnostic ◮ WIP

  5. The Good Old Days

  6. Creating users is was hard ◮ Propagating UID/GID pair necessary ◮ Using install file is error-prone ◮ Some permissions can be set in PKGBUILD ◮ Changing user/group non-trivial ◮ Manual chown/chmod after install ◮ /run not packagable

  7. browser webserver application server webapp1 webapp2 GET /webapp1/ GET /webapp2/ CGI over socket or port

  8. browser webserver application server webapp1 webapp2 GET /webapp1/ GET /webapp2/ CGI over socket or port http http http http http http

  9. browser webserver webapp1 webapp2 GET /webapp1/ GET /webapp2/ violation due to e.g. misconfigured root or too permissive access http http violation due to e.g. misconfigured root or too permissive access http http violation due to e.g. lax open_basedir http http violation due to e.g. lax open_basedir http http violation due to e.g. lax open_basedir http http violation due to e.g. lax open_basedir http http

  10. webserver webapp1 webapp2 nobody rw access /run/uwsgi/webapp1.socket rw access /run/uwsgi/webapp2.socket rw access /run/uwsgi/webapp2.socket rw access /run/uwsgi/webapp1.socket rw access /run/uwsgi/webapp1.socket rw access /run/uwsgi/webapp2.socket

  11. Where We Want to Be

  12. ◮ Stop using the http user for everyhing ◮ A user per web application ◮ Allow write access to local sockets only to web server (and root) ◮ Dissallow read access for everybody else

  13. browser webserver application server webapp1 webapp2 GET /webapp1/ GET /webapp2/ CGI over socket or port http webapp1 webapp1 webapp2 webapp2 http

  14. browser webserver webapp1 webapp2 GET /webapp1/ GET /webapp2/ http webapp1 http webapp2 webapp1 webapp2 webserver webapp2 webapp1 webapp2 webserver webapp1

  15. webserver webapp1 webapp2 nobody rw access /run/webapp1/webapp1.socket rw access /run/webapp2/webapp2.socket no access /run/uwsgi/webapp2.socket no access /run/uwsgi/webapp1.socket no access /run/webapp1/webapp1.socket no access /run/webapp2/webapp2.socket

  16. How We Get There

  17. Packaging ◮ Ship users and groups 1 man 5 sysusers.d ◮ Ship ownership and permissions, create files and directories (e.g. below /run ) 2 man 5 tmpfiles.d ◮ DynamicUser, hardening 3 (e.g. uwsgi 4 ) man 5 systemd.exec ◮ Generic permissions/ settings for sockets 5 (e.g. uwsgi 6 ) man 5 systemd.socket ◮ Improve application server packaging (e.g. uwsgi’s sockets and services are too permissive) ◮ Snippets, defaults (e.g. nginx, apache, uwsgi, php-fpm) 1 https://www.freedesktop.org/software/systemd/man/sysusers.d.html 2 https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html 3 https://www.freedesktop.org/software/systemd/man/systemd.exec.html 4 https://wiki.archlinux.org/index.php/UWSGI#Hardening_uWSGI_service 5 https://www.freedesktop.org/software/systemd/man/systemd.socket.html 6 https://wiki.archlinux.org/index.php/UWSGI#Accessibility_of_uWSGI_socket

  18. Fixing upstreams ◮ PHP calling PHP and not honoring configuration (e.g. cacti) ◮ Web applications with write-tentacles all over the filesystems (e.g. librenms)

  19. Documentation ◮ Update packaging guidelines for webapps 7 ◮ Extend information on (best practices for) php-fpm (there’s no dedicated wiki page) ◮ Extend information on (best practices for) uwsgi 8 ◮ Revise wiki pages for webapps, removing bizarre suggestions (e.g. “just let http own all files” ), pointing to php-fpm/ uwsgi 7 https://wiki.archlinux.org/index.php/Web_application_package_guidelines 8 https://wiki.archlinux.org/index.php/UWSGI

  20. Where We Are

  21. ◮ Lots of legacy/ redundancy - room for improvement ◮ Scattered information (or information in the wrong places) ◮ Example web apps: cacti 9 , librenms 10 , mantisbt 11 , postfixadmin 12 ◮ Time for a TODO 13 to fix all of them 9 https://www.archlinux.org/packages/community/any/cacti/ 10 https://aur.archlinux.org/packages/librenms/ 11 https://aur.archlinux.org/packages/mantisbt/ 12 https://www.archlinux.org/packages/community/any/postfixadmin/ 13 https://www.archlinux.org/todo/

  22. Contact David Runge Mail : dave@sleepmap.de XMPP : dvzrv@sleepmap.de IRC : dvzrv@{freenode,hackint,oftc}

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What Should A 21 st -Century Jail Look Like? Santa Clara County Main Jail East Tuesday,

What Should A 21 st -Century Jail Look Like? Santa Clara County Main Jail East Tuesday,

What Should A 21 st -Century Jail Look Like? Santa Clara County Main Jail East Tuesday, August 9, 2016 1 Image by AECOM Agenda Background, Existing Conditions, Legislation Tony Filice Urban Design and Civic Center Context

515 views • 18 slides
jail(8) Hacking UNIX with FreeBSD jail(8), Secure Virtual Servers Presentation for DefCon 14, by

jail(8) Hacking UNIX with FreeBSD jail(8), Secure Virtual Servers Presentation for DefCon 14, by

jail(8) Hacking UNIX with FreeBSD jail(8), Secure Virtual Servers Presentation for DefCon 14, by Isaac Levy, (.ike) .ike Context I have used jails extensively for web application servers and software development purposes the methodology

2.11k views • 172 slides
Joint PP&J and Project (Jail) Review Committee Update Dane County Jail Consolidation Project

Joint PP&J and Project (Jail) Review Committee Update Dane County Jail Consolidation Project

Joint PP&J and Project (Jail) Review Committee Update Dane County Jail Consolidation Project South Tower Addition & Public Safety Building Renovation October 29, 2019 DCPW Project #318003 AGENDA Introductions Project Goals

823 views • 71 slides
in Michigans Jail Population Presentation to the Michigan Joint Task Force on Jail and Pretrial

in Michigans Jail Population Presentation to the Michigan Joint Task Force on Jail and Pretrial

Wayne State University Center for Behavioral Health and Justice Mental Health & Substance Misuse in Michigans Jail Population Presentation to the Michigan Joint Task Force on Jail and Pretrial Incarceration, September 20 th , 2019 Wayne

429 views • 38 slides
Jail Project Review Committee (PRC) Design Update Dane County Jail Consolidation Project South

Jail Project Review Committee (PRC) Design Update Dane County Jail Consolidation Project South

Jail Project Review Committee (PRC) Design Update Dane County Jail Consolidation Project South Tower Addition & Public Safety Building Renovation May 19, 2020 DCPW Project #318003 AGENDA Introductions Schedule Progress

826 views • 60 slides
Texas Commission on Jail Standards Fall Judicial Education November 21, 2019 Texas Commission on

Texas Commission on Jail Standards Fall Judicial Education November 21, 2019 Texas Commission on

Texas Commission on Jail Standards Fall Judicial Education November 21, 2019 Texas Commission on Jail Standards Working Countywide on Mental Health Issues and the Sandra Bland Act Texas Commission on Jail Standards Texas Commission on Jail

400 views • 22 slides
Texas Commission on Jail Standards North & East Texas County Judges and Commissioners College

Texas Commission on Jail Standards North & East Texas County Judges and Commissioners College

Texas Commission on Jail Standards North & East Texas County Judges and Commissioners College Station, Texas May 16, 2019 Texas Commission on Jail Standards Texas Commission on Jail Standards Inspect/Regulate Review Construction Provide

415 views • 20 slides
24 States in Total 14 States: Prison Programs 16 States: Jail Programs 2 States: Federal

24 States in Total 14 States: Prison Programs 16 States: Jail Programs 2 States: Federal

24 States in Total 14 States: Prison Programs 16 States: Jail Programs 2 States: Federal Institutions 7 States: Jail and Prison Programs 1 State: Jail, Prison, and Federal 9 States: Jail and No Prison 6 States: Prison and No Jail Information

987 views • 63 slides
Harris County - Jail Population August 2013 Report Comparison of Daily Average Jail Population 2

Harris County - Jail Population August 2013 Report Comparison of Daily Average Jail Population 2

Harris County - Jail Population August 2013 Report Comparison of Daily Average Jail Population 2 Years 1 Year End of Last Current Aug-11 Aug-12 Dec-12 Jul-13 Ago Ago Year Month Month - - - - Category Aug-11 Aug-12 Dec-12

258 views • 13 slides
2012 Master Plan Update 1 County Population Summary Crime County population

2012 Master Plan Update 1 County Population Summary Crime County population

2012 Master Plan Update 1 County Population Summary Crime County population Arrest Crime Court Arrest Superior Courts District Jail Jail Jail Statistics Jail Statistics Incarceration

658 views • 16 slides
Medical Awareness Identifying Injury or Illness in the Jail LLRMI / TRACEY REED 2015 Purpose One

Medical Awareness Identifying Injury or Illness in the Jail LLRMI / TRACEY REED 2015 Purpose One

Medical Awareness Identifying Injury or Illness in the Jail LLRMI / TRACEY REED 2015 Purpose One of the most significant issues facing jails and jail staff is lawsuits resulting from allegations of lack of medical or mental health care.

580 views • 36 slides
JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE

JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE

JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE COORDINATING COUNCIL 104 MARIETTA STREET SUITE 440 ATLANTA, GA 30303 AGENDA What is Expected as a Jail Monitor 1. What are We Monitoring - JJDPA

272 views • 23 slides
JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE

JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE

JAIL MONITOR TRAINING STEPHANIE LARRICK JUVENILE DETENTION COMPLIANCE MONITOR CRIMINAL JUSTICE COORDINATING COUNCIL 104 MARIETTA STREET SUITE 440 ATLANTA, GA 30303 AGENDA What is Expected as a Jail Monitor 1. What are We Monitoring - JJDPA

743 views • 22 slides
The Goal: To reduce the number of people with mental illness in Jail but really expecting

The Goal: To reduce the number of people with mental illness in Jail but really expecting

The Goal: To reduce the number of people with mental illness in Jail but really expecting MUCH broader outcomes The Problem: We rely on a system built more than 50 years ago, when very few people with mental illness were in jail or

627 views • 24 slides
Texas Commission on Jail Standards Fall Judicial Education November 14, 2018 Mental Health

Texas Commission on Jail Standards Fall Judicial Education November 14, 2018 Mental Health

Texas Commission on Jail Standards Fall Judicial Education November 14, 2018 Mental Health Evaluations & Compliance SB 1849 required several changes to Minimum Jail Standards Process started on August 3, 2017 SB1849 also changed 16.22

516 views • 27 slides
The Dutchess County Criminal Justice Council (September 2016) The use of Jail Bed Days within

The Dutchess County Criminal Justice Council (September 2016) The use of Jail Bed Days within

The Dutchess County Criminal Justice Council (September 2016) The use of Jail Bed Days within the Dutchess County Jail Report and Recommendations Gary E. Christensen, Ph. D. July 2016 Pending Research/Initiatives (May 2016) Analysis of 100+

168 views • 16 slides
9M 2019 Results Hanover November 12, 2019 Ticker: CON ADR-Ticker: CTTAY Twitter:

9M 2019 Results Hanover November 12, 2019 Ticker: CON ADR-Ticker: CTTAY Twitter:

9M 2019 Results Hanover November 12, 2019 Ticker: CON ADR-Ticker: CTTAY Twitter: @Continental_IR Wolfgang Schaefer CFO http://www.continental-ir.com Agenda 1 Current Market Situation 3 2 Corporation Highlights 6 3 Automotive

617 views • 48 slides
Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will

Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will

UTHSC Teaching and Learning Center Uploading Adobe Presenter Presentation through FTP These step-by-step instructions will demonstrate how to successfully upload your published Adobe Presenter Presentation to the web server through FTP. I. Once

72 views • 5 slides
Business Driven Technology Solutions Infosun Technologies (P) Ltd. Agenda Introduction

Business Driven Technology Solutions Infosun Technologies (P) Ltd. Agenda Introduction

Business Driven Technology Solutions Infosun Technologies (P) Ltd. Agenda Introduction Areas Of Expertise ITL technology Expertise Offshore Development ITL for Outsourcing Quick Facts How ITL Customers have

236 views • 21 slides
Newcomer Day: Welcome to ICANN! This Is YOUR Day WELCOME! Newcomer Experience ICANN

Newcomer Day: Welcome to ICANN! This Is YOUR Day WELCOME! Newcomer Experience ICANN

Newcomer Day: Welcome to ICANN! This Is YOUR Day WELCOME! Newcomer Experience ICANN and the Internet Eco-System ICANN and the Multi-Stakeholder Model LUNCH BREAK 1200-1315 ICANNs Work ICANN Meeting Week Staying

470 views • 42 slides
Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC Piracy and Sea Robbery Conference Agenda The regulatory framework Shipping industry guidance Cyber incident examples from real life

355 views • 10 slides
Vembu Service Provider Program Built for CSPs, MSPs, HSPs and other Solution / Service Providers

Vembu Service Provider Program Built for CSPs, MSPs, HSPs and other Solution / Service Providers

Vembu Service Provider Program Built for CSPs, MSPs, HSPs and other Solution / Service Providers VEMBU TECHNOLOGIES PARTNERS www.vembu.com Vembu Technologies Founded in 2002 Headquartered in Chennai 10+ Years of Experience 100+ Countries

943 views • 15 slides
Financial Update Q3 FY19 NYSE: CRM @Salesforce_ir Safe Harbor "Safe harbor"

Financial Update Q3 FY19 NYSE: CRM @Salesforce_ir Safe Harbor "Safe harbor"

Financial Update Q3 FY19 NYSE: CRM @Salesforce_ir Safe Harbor "Safe harbor" statement under the Private Securities Litigation Reform Act of 1995: This presentation contains forward-looking statements about our financial results,

356 views • 33 slides
2018-2019 IDD Waivers Renewal Children s Extensive S upport (CES ) Waiver Waiver Appendices

2018-2019 IDD Waivers Renewal Children s Extensive S upport (CES ) Waiver Waiver Appendices

9/ 6/ 2018 2018-2019 IDD Waivers Renewal Children s Extensive S upport (CES ) Waiver Waiver Appendices D, E,& F Presented by: Dennis Roy S ept-06 1 Our Mission Improving health care access and outcomes for the people we serve

539 views • 16 slides

More recommend