515 lines
9.6 KiB
HTML
515 lines
9.6 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>How to run Caudium as a non-privileged user; How to secure Caudium</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Caudium HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Customizing your server"
|
|
HREF="customizing.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Customizing your server"
|
|
HREF="customizing.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="How to benchmark a web server"
|
|
HREF="benchmark.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Caudium HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="customizing.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. Customizing your server</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="benchmark.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="secure">5.1. How to run Caudium as a non-privileged user; How to secure Caudium</H1
|
|
><P
|
|
> Web servers are usually publicly accessible and represent your company, group
|
|
or entity so there are chances you want to strengthen the security of this
|
|
service.
|
|
</P
|
|
><P
|
|
> As I already mentioned Caudium has a good security for public access behind
|
|
mostly written in a script language. However Caudium runs as root by
|
|
default. In the case a non-authorized user gains access to Caudium's
|
|
process, he might gain root privileges. Consequently,a lot of web servers run
|
|
as another user with minimal privileges. Doing this may require some
|
|
work, as you will have to change the owner of all the files Caudium needs
|
|
access to, so I give step-by-step instructions how to change those
|
|
permissions:
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Find a good user name. This user name should be a normal user with the least privileges. Lots of distributions already have a special account for this. Common names include <SPAN
|
|
CLASS="QUOTE"
|
|
>"www"</SPAN
|
|
>, <SPAN
|
|
CLASS="QUOTE"
|
|
>"www-data"</SPAN
|
|
>, <SPAN
|
|
CLASS="QUOTE"
|
|
>"httpd"</SPAN
|
|
>, <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
> (Caudium on Debian GNU/Linux runs as www-data:www-data by default). We don't recommend <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
> though; to quote Theo de Raadt: <A
|
|
NAME="AEN704"><BLOCKQUOTE
|
|
CLASS="BLOCKQUOTE"
|
|
><P
|
|
>The user <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
> has historically been doing too much. If you could break into the user <SPAN
|
|
CLASS="QUOTE"
|
|
>"nobody"</SPAN
|
|
>, you could cause great damage.</P
|
|
></BLOCKQUOTE
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Change the owner of the files which Caudium needs to write to. These include:
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Caudium internal log file (default.*).
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Per virtual server log file.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> All caches.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The configurations files (they are written by the <SPAN
|
|
CLASS="abbrev"
|
|
>CIF.</SPAN
|
|
>).
|
|
</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
> On a Caudium source install the following command should do the job:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> # chown -R www-data.www-data logs/ var/
|
|
argument_cache/ bgcache/ configurations/ server/*.pem server
|
|
</TT
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Here is the result:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> $ ls -l
|
|
total 32
|
|
drwxr-sr-x 6 www-data www-data 4096 Feb 13 23:17 argument_cache
|
|
drwxr-sr-x 2 www-data www-data 4096 Feb 19 09:27 bgcache
|
|
drwxr-sr-x 2 www-data www-data 4096 Mar 4 22:28 configurations
|
|
drwxr-sr-x 4 root staff 4096 Feb 13 23:16 local
|
|
drwxr-sr-x 7 www-data www-data 4096 Mar 3 11:50 logs
|
|
drwxr-sr-x 2 root staff 4096 Feb 13 23:16 readme
|
|
drwxr-sr-x 19 www-data www-data 4096 Feb 19 20:13 server
|
|
drwxr-sr-x 2 www-data www-data 4096 Mar 3 19:28 var
|
|
|
|
$ id www-data
|
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
</TT
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> If users are allowed to log on the server, you might also change the
|
|
permissions of the logs directory.
|
|
</P
|
|
><P
|
|
> If you have a Caudium specific distribution for your system (such as Debian GNU/Linux) check manually.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Don't forget to change the permissions of any script/directory you made
|
|
and for which Caudium needs to write to in your public filesystem.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Log into the <SPAN
|
|
CLASS="abbrev"
|
|
>CIF.</SPAN
|
|
>, go in the main <TT
|
|
CLASS="option"
|
|
>Global variables</TT
|
|
> tab, then in
|
|
<TT
|
|
CLASS="option"
|
|
>Change uid and gid</TT
|
|
> type the uid:gid data you choose. We typed <TT
|
|
CLASS="userinput"
|
|
><B
|
|
>33:33</B
|
|
></TT
|
|
>
|
|
in our example. You can also type a login name and group name: <TT
|
|
CLASS="userinput"
|
|
><B
|
|
>www-data:www-data</B
|
|
></TT
|
|
>.
|
|
You can also enable the <TT
|
|
CLASS="option"
|
|
>Change uid and gid permanently</TT
|
|
> option but be sure to read the documentation first.</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
> I will now speak about general security measures you can take if you are
|
|
very strict about security.
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Don't allow users to execute scripts that are part of the server.
|
|
</P
|
|
><P
|
|
> As Caudium is a single process server, it is possible to stop it, restart
|
|
it, access it, etc. with a user script. This include pike scripts, pike tag,
|
|
and PHP modules for Caudium.
|
|
</P
|
|
><P
|
|
> If you do want to let your users run scripts, you can always use
|
|
CGI, or better uniscript (in this case it will be transparent to the user), in
|
|
order to run a script in a separate process using the fork(2) system call.
|
|
This will decrease the performance of Caudium but the security has a price,
|
|
and it is up to you to decide how much you want to pay.
|
|
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Uniscript is a CGI-like wrapper. It will execute programs
|
|
as if they were CGI scripts but unlike CGI, it does not require you
|
|
to put these programs under a specific directory like /cgi-bin/. For
|
|
example each user can have his or her CGI script in his or her directory.
|
|
Moreover Caudium can execute them with the uid of the owner.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Don't use anything you don't need. Remove any modules you don't need in your virtual server.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Physically restrict access to the <SPAN
|
|
CLASS="abbrev"
|
|
>CIF.</SPAN
|
|
>. Don't access it from the Internet if
|
|
possible. Few people know this, but it is now possible to see SSL
|
|
connections in clear text with a man-in-the-middle attack.
|
|
The <SPAN
|
|
CLASS="application"
|
|
>dsniff</SPAN
|
|
> software contains all the tools and explanation for this.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Turn off these options:
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <TT
|
|
CLASS="option"
|
|
>Global Variables</TT
|
|
> -> <TT
|
|
CLASS="option"
|
|
>show_internals</TT
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <TT
|
|
CLASS="option"
|
|
>Global Variables</TT
|
|
> -> <TT
|
|
CLASS="option"
|
|
>Version numbers</TT
|
|
> -> <TT
|
|
CLASS="option"
|
|
>Show Caudium Version Number</TT
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <TT
|
|
CLASS="option"
|
|
>Global Variables</TT
|
|
> -> <TT
|
|
CLASS="option"
|
|
>Version numbers</TT
|
|
> -> <TT
|
|
CLASS="option"
|
|
>Show Pike Version Number</TT
|
|
>.
|
|
</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
> Turn off any debug options specific to a module. These
|
|
options are for developers, and they don't have security in
|
|
mind when they debug output.
|
|
<A
|
|
NAME="AEN770"><TABLE
|
|
BORDER="0"
|
|
WIDTH="100%"
|
|
CELLSPACING="0"
|
|
CELLPADDING="0"
|
|
CLASS="BLOCKQUOTE"
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
VALIGN="TOP"
|
|
> </TD
|
|
><TD
|
|
WIDTH="80%"
|
|
VALIGN="TOP"
|
|
><P
|
|
> Actually, this is security through obscurity and doesn't
|
|
increase the security of the server.
|
|
</P
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
VALIGN="TOP"
|
|
> </TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
COLSPAN="2"
|
|
ALIGN="RIGHT"
|
|
VALIGN="TOP"
|
|
>--<SPAN
|
|
CLASS="attribution"
|
|
>Grendel</SPAN
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
> </TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Output Caudium's log files to a separate partition. <TT
|
|
CLASS="filename"
|
|
>/var</TT
|
|
> is a good choice for
|
|
that purpose.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Check the Caudium web site for patches.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> If your job relies on your web server security, check the Caudium source.
|
|
</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="customizing.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="benchmark.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Customizing your server</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="customizing.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>How to benchmark a web server</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |