1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
<HTML><HEAD>
<TITLE>Security Guidelines -- Recommended Security Modifications</TITLE>
<LINK rel=Previous href="sec-ch1.htm">
<LINK rel=ToC href="toc.htm">
<LINK rel=Index href="master.htm">
<LINK rel=Next href="acc-ch.htm">
</HEAD><BODY BGCOLOR="#ffffff"><A NAME="topofpage"></A>
<TABLE WIDTH=100%>
<TR>
<TD ALIGN=LEFT>
<A NAME="topofpage"></A> <IMG SRC="as-c-sm.gif">
</TD>
<TD ALIGN=RIGHT>
<A href="sec-ch1.htm"><IMG BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
<A href=toc.htm> <IMG BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
<A href=master.htm> <IMG BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
<A href="acc-ch.htm"> <IMG BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
<A name="7983"> </A>
</TD>
</TR>
</TABLE>
<a name="8685">
</a><h3>Recommended Security Modifications</h3>
<p><a name="8686">
</a>The actions described in this section are recommended, but not required, to ensure the security of systems running AOLserver.</p>
<a name="8687">
</a><h4>AOLserver Version</h4>
<p><a name="8688">
</a>In general, AOLserver versions 3.0 and higher should be used whenever possible, because they are more secure than earlier versions of AOLserver. </p>
<a name="8689">
</a><i>Removed Features:</i>
<p><a name="9611">
</a>The following features were removed in version 3.0 because they were potential security holes:</p>
<ul><li>Remote editing of content on PUT, DELETE, or MKDIR requests through AOLpress or other network publishing tools is no longer supported.<a name="8690">
</a>
<p><li>Directory listings on BROWSE requests are no longer supported. A "Not Found" error is issued when a directory is requested.<a name="8691">
</a>
<p><li>The nsftp module has been removed.<a name="8692">
</a>
<p><li>The Setup Server has been removed.<a name="8693">
</a>
<p><li>The administration interface under the /NS/Admin URL has been removed.<a name="8694">
</a>
<p><li>Tcl reinitialization and Tcl evaluation under the /NS/EvalTcl URL has been removed.<a name="8695">
</a>
<p><li>Automatic database forms under /NS/Db URL and all database system catalog query functions are no longer supported.<a name="8696">
</a>
<p><li>Virtual servers, and the ability for one server to access memory and resources of another server, are no longer supported.<a name="8697">
</a>
<p></ul><a name="8698">
</a><i>New Features:</i>
<p><a name="9610">
</a>The following new features were added in Version 3.0 to provide additional security:</p>
<ul><li>AOLserver can be run in a chroot environment.<a name="8699">
</a>
<p><li>The configuration file, which has a new Tcl format, is executed in a separate, temporary interpreter that is destroyed before startup begins. The configuration file memory buffer is then zeroed after parsing.<a name="8700">
</a>
<p><li>The nsd binary can be stored outside the root directory because AOLserver no longer locates and re-executes itself.<a name="8701">
</a>
<p><li>The configuration file can be stored outside the root directory, because AOLserver opens and reads the configuration file before running chroot().<a name="8702">
</a>
<p><li>The new nscp module, which allows connections only from localhost, provides a secure control port interface that allows ad hoc Tcl evaluation and other server administration features. For more information about the control port interface, see the <a href="acc-ch1.htm#12755">"AOLserver's Control Port Interface" section</a>.<a name="8703">
</a>
<p></ul><a name="8704">
</a><h4>Secure chroot Environment</h4>
<p><a name="8705">
</a>AOLserver should be run in a secure chroot() environment whenever possible.</p>
<p><a name="8706">
</a>In Versions 3.0 or higher, AOLserver supports a <b>-r</b> command line option to run AOLserver in a chroot() environment. It provides the following benefits:</p>
<ul><li>The chroot() system call updates the process such that all absolute filenames are relative to a new root directory instead of the actual mounted file system.<a name="8707">
</a>
<p><li>The chroot() call is irrevocable. Once chroot() returns, the server cannot access any file above the new root directory.<a name="8708">
</a>
<p><li>Although it does not actually protect any of the underlying content, scripts, or protected databases, chroot() is the single most effective tool for protecting the server machine and sensitive information, such as user passwords and configuration files, from view.<a name="8709">
</a>
<p></ul><p><a name="8710">
</a>To run AOLserver in a chroot() environment, you need only copy a few files and directories to the new root directory. For example, on the SGI platform, you would execute the following commands to create new directories and copy the necessary files to them:</p>
<pre> <a name="8711"></a><code>mkdir $root/dev $root/tmp $root/etc
</code> <a name="8712"></a><code>chmod 1777 $root/tmp
</code> <a name="8713"></a><code>cd $root/dev; /dev/MAKEDEV generic usema
</code> <a name="8714"></a><code>cp /etc/passwd /etc/resolve.conf $root/etc
</code></pre><p><p><a name="8715">
</a>Then, you can run AOLserver with the <b>-r</b> option as in this example:</p>
<pre> <a name="8716"></a><code>nsd -t nsd.tcl -r $root
</code></pre><p><p><a name="9657">
</a>For more information about the nsd command line, see the <a href="tech-ch1.htm#20993">"AOLserver Command Line" section</a>.</p>
<a name="8717">
</a><h4>Remote Editing of Content</h4>
<p><a name="8718">
</a>Determine whether any remote editing of content through AOLserver is necessary. In general, all AOLpress-like updating should be disabled. All the code that supported AOLpress was removed in version 3.0.</p>
<p><a name="8719">
</a>If remote editing is necessary, it should be done with traditional tools such as ftp, rather than the nsftp module. The nsftp module was removed in version 3.0.</p>
<a name="8720">
</a><h4>Restricted Content</h4>
<p><a name="8721">
</a>Determine whether any of the content available to an AOLserver in a chroot() environment would be restricted. In general, AOLserver should be read-only and everything it can read should be world-readable. This allows the AOLserver administrator to ignore the nsperm module altogether.</p>
<p><a name="8722">
</a>If any of the content available to AOLserver is restricted, the AOLserver administrator needs to define the appropriate permissions with the nsperm module. The administrator should be very clear which areas are blocked off and know both the URL and METHOD for the restricted areas.</p>
<p><a name="8723">
</a>It is preferable to allow the GET method for all URLs and have nothing restricted accessible through AOLserver.</p>
<a name="8724">
</a><h4>Tcl Library</h4>
<p><a name="8725">
</a>Limit the available Tcl functions to just those functions that are necessary by that particular AOLserver installation. Purge the Tcl library of unnecessary functions. For example, if the site doesn't send e-mail, remove the ns_sendmail procedures.</p>
<p><a name="8726">
</a>Some potentially unsafe commands you may want to consider removing are:</p>
<ul><li>File system related functions, such as open, read, and puts<a name="8727">
</a>
<p><li>The AOLserver ns_sock* Tcl functions<a name="8728">
</a>
<p><li>The Tcl 7.6 socket routines<a name="8729">
</a>
<p><li>The <b>exec</b> command<a name="8730">
</a>
<p><li>The <b>file</b> command, or at least the delete and rename features<a name="8731">
</a>
<p><li>The <b>exit</b> command<a name="8732">
</a>
<p></ul><p><a name="8733">
</a>This code example disables the <b>open</b> command:</p>
<pre> <a name="8734"></a><code>static int AddCmds(Tcl_Interp, void *arg)
</code> <a name="8735"></a><code>{
</code> <a name="8736"></a><code> Tcl_CreateCommand(interp, "open", BadCmd, NULL, NULL);
</code> <a name="8737"></a><code> return TCL_OK;
</code> <a name="8738"></a><code>}
</code> <a name="8739"></a><code>static int BadCmd(ClientData dummy, Tcl_Interp *interp, int argc,
char **argv)
</code> <a name="8740"></a><code>{
</code> <a name="8741"></a><code> Tcl_AppendResult(interp, "disabled command: ", argv[0], NULL);
</code> <a name="8742"></a><code> return TCL_ERROR;
</code> <a name="8743"></a><code>}
</code></pre><p><a name="8744">
</a><h4>Database Access</h4>
<p><a name="8745">
</a>Database access should be restricted with read-only logins to the server and queries through stored procedures. Stored procedure capabilities were added to AOLserver in Version 3.0. Also, all ad hoc database forms and system catalog query functions were removed in Version 3.0.</p>
<p><a name="9678">
</a>For more information about the Tcl functions for stored procedures, see the <a href="tapi-c44.htm#67537">"ns_db" section</a> of the <i>AOLserver Tcl Developer's Guide</i>. For more information about the C functions for stored procedures, see the <a href="c-ch3.htm#789223">"Stored Procedure Functions" section</a> of the <i>AOLserver C Developer's Guide</i>.</p>
<a name="8746">
</a><h4>Setup Server Interface</h4>
<a name="8747">
</a><i>Versions prior to 3.0:</i>
<p><a name="8748">
</a>The Setup Server is almost always enabled. If possible, disable the Setup Server as described below. Disabling the Setup Server deactivates the ability to add and delete virtual servers, as well as other administrative functions, through web pages.</p>
<p><a name="8750">
</a>Disable the Setup Server by setting the Enabled parameter to Off in the <b>nsd.ini</b> configuration file as shown below.</p>
<pre> <a name="8751"></a><code>[ns/setup]
</code> <a name="8752"></a><code>Port=XXXX
</code> <a name="8753"></a><code>Password=XXXXXXXXXXXXX
</code> <a name="8754"></a><code>Enabled=Off
</code></pre><p><a name="8755">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8756">
</a>The Setup Server does not exist. No action is necessary.</p>
<a name="8757">
</a><h4>Control Port Interface</h4>
<a name="8758">
</a><i>Versions prior to 3.0:</i>
<p><a name="8759">
</a>The control port interface does not exist. No action is necessary.</p>
<a name="8760">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8761">
</a>The control port interface should not be used unless absolutely necessary. Although it is more secure than the /NS/Admin interface from earlier AOLserver versions because it only allows connections from localhost, it still poses a risk potential.</p>
<p><a name="9679">
</a>For more information about the control port interface, see the <a href="acc-ch1.htm#12755">"AOLserver's Control Port Interface" section</a>.</p>
<a name="8762">
</a><h4>Configuration File Permissions</h4>
<a name="8763">
</a><i>Versions prior to 3.0:</i>
<p><a name="8764">
</a>The <b>nsd.ini</b> configuration file can be read or overwritten through a remote exploit with the /NS/EvalTcl feature. You can set ownership of the <b>nsd.ini</b> file to root and its file permissions to 600 to protect the file from remote viewing by /NS/EvalTcl.</p>
<p><a name="8765">
</a>These file permission settings are more secure, but will disable your ability to use web pages to modify AOLserver configuration. If your requirements for your web server call for frequent configuration changes, you may choose not to implement this modification.</p>
<a name="8766">
</a><i>Versions 3.0 or higher:</i>
<p><a name="8767">
</a>The /NS/EvalTcl feature does not exist. It is still a good idea, however, to set the ownership of the <b>nsd.tcl </b>configuration<b> </b>file to root and its file permissions to 600.</p>
<p><a name="9353">
</a></p>
<TABLE BORDER="2" CELLPADDING="1" width="100%">
<TR><TD COLSPAN=3><P ALIGN=Center>
<IMG SRC="bluebult.gif">
<A HREF="#topofpage">
<FONT SIZE=-1>Top of Page</FONT></A>
<IMG SRC="bluebult.gif">
</TD></TR>
<TR><TD COLSPAN=3><P ALIGN=Center>
<A href="sec-ch1.htm">
<IMG BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
<A href=toc.htm>
<IMG BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
<A href=master.htm>
<IMG BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
<A href="acc-ch.htm">
<IMG BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
<BR align=center>
<FONT size=-1>Copyright © 1998-99 America Online,
Inc.</FONT>
</TD></TR></TABLE></BODY></HTML>
|
