Using OpenBSD's chrooted Apache 101
BSD Forums writes "OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator.
In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."
slashdotted (Score:1, Insightful)
Re:Challenges? (Score:1)
Just kidding. It is interesting though, that people die very day who most really wants to live, but are unable to do anything to survive. All those people willing to live, while I have practically everything but can't get out of bed in the morning, mutch less summon any will to live. Ironic.
Slashdotness... (Score:1)
My peave with pdf's is the size, slashdotted in 15secs instead of 45secs.
Dramatic in the slashdot community.
recently? (Score:1)
Security v. ease of use (Score:3, Insightful)
Just my
Re:Security v. ease of use (Score:1)
Re:Security v. ease of use (Score:2, Insightful)
OpenBSD does not cater to "Joe User" nor does it claim to. You are correct, Joe User should be using something that gives more direction and simplifies their experience such as RedHat.
-Rusty
Re:Security v. ease of use (Score:2)
Re:Security v. ease of use (Score:2)
If that were really true then why don't you shut down you computer? It would certainly make it much more secure at the expense of ease of use?!
Re:Security v. ease of use (Score:2)
Security should be easy to implement and difficult to circumvent.
Re:Security v. ease of use (Score:1)
Re:Security v. ease of use (Score:2)
That's not a lot of cents. I really love it when people go as far as to put
"Just my USD $0.02"
Wankers.
site is /.'ed (Score:3, Informative)
Rus
Re:site is /.'ed (Score:5, Informative)
Thankfully, under OpenBSD even the apache parent process does not run as root:
www 2376 0.0 0.3 1120 1440 ?? Ss Wed08PM 0:05.56 httpd: parent [chroot
www 12097 0.0 0.2 1196 1008 ?? I Wed08PM 0:00.02 httpd: child (httpd)
This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.
It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.
http://marc.theaimsgroup.com/?l=openbsd-misc&m=
Re:site is /.'ed (Score:1)
User apache
Group apache
Apache will bind as root and then drop privs to the named user.
Re:site is /.'ed (Score:3, Informative)
No, it won't. Build it from source, put that in the config, start it as root, and look again. The parent is still running as root.
root 1040 0.0 0.2 2644 156 ? S 2002 0:00
It needs to bind port 80. OK, so bind the port and then drop privs. It needs to control the logs so that the evil children don't touch it. OK, so change to a different user (other than the network-listeners). Anything b
Re:site is /.'ed (Score:1)
If someone can get root permission inside a chroot you can break out [bpfh.net]
Sure, but then again who in their right mind runs a web browser, ftp server, cvs site, news server, name server or practically any server as root anymore?
Breaking a Chroot (Score:4, Informative)
It protects against raw devices, special chroot attacks, UID escalation attacks, many buffer overflows, and other problems. In addition, it adds a whole ACL (Access Control List) system for protecting applications and the overall environment. For a full list of features go to http://www.grsecurity.org/features.php.
I've used this on many different servers with no problems at all. It certainly make you feel better on those servers directly connected to the net.
Re:site is /.'ed (Score:2)
Hey - you guys broke my httpd.conf file! (Score:5, Interesting)
It seems the chrooted Apache configuration in 3.2 is turned on by default, and it prevents cgi mappings from working properly under VirtualHosts directives. I was kind of aggravated; it took a while to figure out what was wrong.
It's documented in the OpenBSD FAQ [openbsd.org], but I couldn't pinpoint the problem to OpenBSD specifically (and the error log was mysteriously unhelpful at diagnosing the problem), so I spent quite a while reading up on Apache directives before I figured it out.
It was frustrating, but I know Apache considerably better now, so I guess it was worth it. I agree that security is very admirable, which is why I use OpenBSD in the first place, but I think certain options should be turned off by default, especially if they break common services like VirtualHosts cgi ScriptAliases.
Realistically, are most web servers going to be set up just to host one web site? Or am I the only one who uses VirtualHosts on most of my servers?
Re:Hey - you guys broke my httpd.conf file! (Score:2)
Rus
Re:Hey - you guys broke my httpd.conf file! (Score:2, Insightful)
the relativtly scarce number of IP addresses left
roll on ipv6
Re:Hey - you guys broke my httpd.conf file! (Score:5, Informative)
ostiguy
Re:Hey - you guys broke my httpd.conf file! (Score:1)
# use -u to disable chroot, see httpd(8)
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
Re:Hey - you guys broke my httpd.conf file! (Score:1)
Re:Hey - you guys broke my httpd.conf file! (Score:1)
What I really wanted to say though, Is that I like OpenBSD very muchly
Re:Hey - you guys broke my httpd.conf file! (Score:3, Funny)
If you want a web server that has security features disabled by default, there are other options [microsoft.com].
;-P
psxndc
Marc's Bro (Score:3, Funny)
Re:*BSD is dying (Score:1, Insightful)
Let's put it this way, BSD will not die as long as MacOS X exists. Plus note, it's not about the market share if you can grok the source code!
-uso.
BSD r0x0r!
(Yeah, I know, I'm -1 Offtopic.)
Re:*BSD is dying (Score:2)
Re:*BSD is dying (Score:1)
-uso.
Re:*BSD is dying (Score:2)
I would have liked to read the document... (Score:1)
I'm not trying again...
Recently ? (Score:5, Informative)
Apache 2 (Score:1)
Instead, I installed Apache 2.
But considering I'm not doing any mission critical stuff -- I'm really not too worried.
Perhaps all I have to worry about now is getting the speed of my CGI scripts up... But maybe that's just because they're running on a Pentium 100. =)
Rock on OpenBSD!
OpenBSD in the news (Score:1)
Performance hit? (Score:3, Interesting)
I wonder if this inflicts a performance hit, or more memory is required as a result. I know more disk space is needed, but with the smallest IDEs these days being 40GB, I'm not worried there.
If theres really no performance hit, I wonder if all daemons can be run in seperate chroots, indeed could an inetd be developed that chroots all its daemons. Necessary readonly stuff like libc might be hard-linked rather than copied to save space, unless that would be too much of a security breach.
My very-lazily setup FreeBSD server never gave me problems, and I wouldnt be implementing this in my production server yet, but its nice to HAVE DONE stuff like this to:
(1) boast
(2) print on resume
(3) profit!
Re:Performance hit? (Score:4, Informative)
Re:Performance hit? (Score:2)
Re:Performance hit? (Score:2, Informative)
Even bind mounts are not secure. They can be remounted read/write, assuming they were read-only to begin with. One way to be sure that can't happen is to have the filesystem so mounted be a loopback to a file which resides on a filesystem which is mounted read/only. That underlying filesystem cannot be changed from inside the chroot (because there is no mount point therein to reference it), so even if the loopback mounted filesystem is made read/write, write attempts should ultimately fail (but even this
Re:Performance hit? (Score:2)
mkdir foo; chroot foo; cd
Running it chrooted isnt allways a useful option. (Score:2)
Re:Broken chroot implementation? (Score:1)
There are certain things that have to work inside chroot for it to remain usable for the things it was originally designed for, which includes building new systems. Those things that are designed to fail (e.g. pass the test) in grsecurity's system, which fail the test (e.g. the code still works) on the others, are needed for many use that chroot is used for. For example you can't make a new system without being able to use mknod and use the device made in that run. And that's a capability which can be ab
Why BSD? (Score:2, Insightful)
Yes, it is their loss -- but generally applicable topics that just happen to be demonstrated on a BSD really should not be tagged 'BSD' in the Slashd
Re:Why BSD? (Score:2, Informative)
AFAIK this is not information everybody can use since this feature only exists on OpenBSD. Apache is patched to chroot() to it's own folder. The -u flag does not exist on standard Apache [apache.org].
Does anyone have a bittorrent of the pdf? (Score:3, Insightful)
Re:Does anyone have a bittorrent of the pdf? (Score:2)
openBSD features (Score:2, Funny)
Neat! I hope FreeBSD and NetBSD use this feature when they all merge [slashdot.org].
Looking forward to it. ;)
Why don't the various Linux Dists... (Score:5, Interesting)
Re:Why don't the various Linux Dists... (Score:1)
from what im told:
gentoo comes with propolice, but its turned off by default "because some things break"
in openbsd 3.3, propolice is turned on by default "because some things break"
=D
Re:Why don't the various Linux Dists... (Score:2)
Re:Why don't the various Linux Dists... (Score:1)
The only one that dosnt, is gentoo. Its actually on a pretty level playingfield as freeBSD.
Gentoo uses the ports collection, so you can get your chrooted packages off of there. But alot of times they dont run chrooted by default. This is changing at a good rate (in gentoo at least). When i do an overnight emerge, when i merge in etc-update i am finding that my chroot config directives are getting overwritten by the new config data more and more now.
The myth of chroot security (Score:2)
For instance, there are several ways to get out of a chrooted environment that have been known for years. Fut
Re:The myth of chroot security (Score:1)
I'm not familar with raw I/O - does this need a device file to open() first or do you specify the major and minor device numbers as part of the system call in some evil way?
They do (Score:2)
Mandrake have begun to.
Mirror (Score:2, Informative)
Mirror (Score:3, Informative)
Rus
Why is there an "Apache" user? (Score:4, Interesting)
If I have 100 clients using a web server, there's no way for me to protect their stuff from each other. NONE.
It doesn't matter what permissions I apply. I can run PHP in "safe" mode, and apply bandaids to the problem to mitigate this weakness, but it's still there.
Maybe make apache run under xinet.d. (Gee, there goes the "must run as root" problem!) Maybe just have a connection process that connects to an actual daemon for performance reasons.
But Apache should run as the user that owns the site being accessed!
Imagine this in your httpd.conf:
<VirtualHost *>
ServerName www.clientsite.com
ServerAlias clientsite.com
DocumentRoot ~client/html
RunAsUser client
</VirtualHost>
If done right, you should be able to chroot user "client" and have the DocumentRoot be relative within the chrooted file system!
This is a feature of 2.x that is the *only* feature I'm looking forward to. And yet, for some reason, it's on the back burner. It's "unstable", or "in progress". In short, it still sucks.
So we continue to run in an inherently lame-brained environment with security leaks all over the place, with this "unpriveledged user" (typically "nobody") that has more permissions than any other user save root.
Ugh.
Re:Why is there an "Apache" user? (Score:2)
Essentially, by the time you've figured out which vhost the client is requesting, you're bound to a specific httpd process which normally runs as www/nobody or whatever you've configured it as. As those users cannot setuid to the RunAsUser, you can't modify the uid/euid at that stage, only root can do that and you don't want root handling that part of the negotiation!
The alternative is to run wi
Re:Why is there an "Apache" user? (Score:4, Informative)
You use multiple processes then. You can pass the socket file descriptor to another process via UNIX sockets. Or you could just keep proxying the connection to another process if you want portability.
For example you could have a few "connection broker" processes which would parse the initial request. That process would figure out who exactly should be handling the request. Once that's done, it sends very simple request to very small master process which runs as root, consisting of wanted url handler (file, directory, whatever). The root running process verifies the handler is valid, and then either returns error or forwards the connection to the actual handler process (either exec + setuid(), or reuse existing process).
There's at least kchuid [nimh.org] which could do that.
Re:Why is there an "Apache" user? (Score:2)
Anybody who says "it can't be done" is simply wrong. It can obviously be done, in a number of ways, with minimal repurcussions.
I'd almost give a left nut for something like this that actually worked.
So why hasn't it been done?
Re:Why is there an "Apache" user? (Score:2)
Want to pay for it? ;) I've thought a few times that this would be interesting to do, but I already have other projects and I don't actually need it.
WRT running as root, solution is easy (Score:2)
And for an encore?
Change your user skeleton so public_html becomes a link to
Re:Why is there an "Apache" user? (Score:1)
I've always set up Apache so CGI runs as the user who owns the site. The problem is, that requires retaining the permission to switch to that user somewhere, even if just within the "suexec" file (is suid root).
The problem with Apache is that it is so large, and so much code would run as root, that it is unsafe to allow that. So the usual course is to run Apache non-root, and let "suexec" do the permission switch. Supposedly it can verify if it is being run correctly from the Apache process (as opposed
Re:Why is there an "Apache" user? (Score:1)
Maybe users should have to each run their own instance of Apache on separate IP addresses (they have to if they want to run an HTTPS secured web site, anyway).
Of course, this negates the whole point of IPv4 address conservation that name-based virtual hosts afford.
What if you could do name-based virtual hosting with each user running their own instance of Apache (using a single IP for Port 80 virtual hosts (machine-wide), which is probably most of what is on the server anyhow)? Port 443 virtual hosts w
Re:Why is there an "Apache" user? (Score:1)
Sure, it is doable to have a single IP working HTTP requests by name and have each site or group of sites (same user) have a dedicated server. I don't know how easy it could be retrofitted into Apache, but certainly one way to do this is to have a front end like a proxy that checks the host of the request and routes the request accordingly. Maybe that could be routed to a different port number according to a configured map. But I would be more inclined to route the requests to a named pipe in the filesys
It's nice but.... (Score:2, Insightful)
Why? No fault of OpenBSD, really. Simply that in order to do anything really interesting, I had to disable the chroot of httpd. Take perl scripts, for example: If a CGI script is supposed to be interpreted by
Breaking in (Score:2)
True, but they can `break in'. Move the real files to /var but outside the jail(s), put symlinks in their places, and hardlink yourself silly. Of course, I habitually mount /var as nosuid,nodev, so I don't expect much joy from suidperl, for instance. (-:
Nice for some (Score:2, Interesting)
Using grsecurity kernel patch, i can use trusted path execution and take execution privlages away from the apache group, and set its gid = 1005 (or whatever you specified under trusted path execution for the untrusted group in the grsecurity options) and then only give apache execute rights on specific
Emergency Closing (Score:1, Funny)
To the University of Maryland Community:
The University of Maryland will shut down in its entirety for Friday, April 11th.
As the deadline for the submission of University's final budget to the state has approached, it has become clear that we are suffering from a large budget shortfall. Because of this, we are forced to shut down the entire campus for a full day. We apologize for the short notice of this cancellation.
Dining services will still be running so that students may eat, and the stud