File: security.html

package info (click to toggle)
aolserver4 4.5.1-15.1
links: PTS, VCS
area: main
in suites: wheezy
size: 11,772 kB
sloc: ansic: 45,120; tcl: 5,532; sh: 1,021; makefile: 380; pascal: 219; php: 13
file content (325 lines) | stat: -rw-r--r-- 7,631 bytes
parent folder | download | duplicates (8)
<html>
<head>
<title>AOLserver</title>
</head>
<body>

<h1>AOLserver Security Guide</h1>

<p>
<small>
$Header: /cvsroot/aolserver/aolserver.com/docs/admin/security.html,v 1.1 2002/03/07 19:15:34 kriston Exp $
</small>
<p>


This chapter provides guidelines for ensuring the security of systems
running AOLserver. It describes the issues that must be considered and
the associated modifications that should be made to AOLserver
installations.

<p>

 General nsadmin Passwords

<p>

By default, the nsadmin password for AOLserver is either set to NULL
or to a poor password. Set an acceptable password for nsadmin as
described below.

<p>

Edit the nsadmin entry in the /modules/nsperm/passwd file. For
example, the default passwd file contains this nsadmin entry:
 nsadmin:CUdnvgBYocLSI:::::

<p>

Substitute an alternate encrypted password in place of CUdnvgBYocLSI.

<p>

To encrypt a password, you can copy an already-encrypted password from
the /etc/passwd file or run the bin/nspasswd utility. It will prompt
you for a password and return the encrypted version of the password.

<p>

For more information about the passwd file, see the "Defining Users"
section.

<p>

 Permission Settings

<p>

It is more secure to avoid using the nsperm module and use file-level
security for ADPs. If you must use the nsperm module, set appropriate
permissions records as follows:

<p>

<br>
  * Maintain the same permission records for GET and POST; they
 actually provide the same permissions.

<p>

<br>
  * Remove any permission records related to network publishing (PUT,
 DELETE, MKDIR, and BROWSE) for all users except nsadmin.

<p>

<br>
  * Keep in mind the inheritance rules for permission records. In
 general, a permission record for a directory also applies to the
 directories underneath it.

<p>


To define AOLserver permissions, create permission entries for them in
the perms file, which resides in the /modules/nsperm directory. The
default perms file does not contain any permission entries, but it
contains comments that explain how to add entries to the file.

<p>

For more information about setting permissions, see the "Permissions"
section.



<p>

<h2><a name=3>Recommended Security Modifications</a></h2>

<p>

The actions described in this section are recommended, but not
required, to ensure the security of systems running AOLserver.

<p>

 AOLserver Version

<p>

In general, AOLserver versions 3.0 and higher should be used whenever
possible, because they are more secure than earlier versions of
AOLserver.

<p>
  * AOLserver can be run in a chroot environment.

<br>

  * The configuration file, which has a new Tcl format, is executed in
 a separate, temporary interpreter that is destroyed before startup
 begins. The configuration file memory buffer is then zeroed after
 parsing.

<br>

  * The nsd binary can be stored outside the root directory because
 AOLserver no longer locates and re-executes itself.

<br>

  * The configuration file can be stored outside the root directory,
 because AOLserver opens and reads the configuration file before
 running chroot().

<br>
  * The new nscp module, which allows connections only from localhost,
 provides a secure control port interface that allows ad hoc Tcl
 evaluation and other server administration features. For more
 information about the control port interface, see the "AOLserver's
 Control Port Interface" section.

<p>

 Secure chroot Environment

<p>

AOLserver should be run in a secure chroot() environment whenever
possible.

<p>

In Versions 3.0 or higher, AOLserver supports a -r command line option
to run AOLserver in a chroot() environment. It provides the following
benefits:

<p>

<br>
  * The chroot() system call updates the process such that all
 absolute filenames are relative to a new root directory instead of
 the actual mounted file system.

<p>

<br>
  * The chroot() call is irrevocable. Once chroot() returns, the
 server cannot access any file above the new root directory.

<p>

<br>
  * Although it does not actually protect any of the underlying
 content, scripts, or protected databases, chroot() is the single
 most effective tool for protecting the server machine and
 sensitive information, such as user passwords and configuration
 files, from view.

<p>

To run AOLserver in a chroot() environment, you need only copy a few
files and directories to the new root directory. For example, on the
SGI platform, you would execute the following commands to create new
directories and copy the necessary files to them:
<p>

mkdir $root/dev $root/tmp $root/etc
<br>
chmod 1777 $root/tmp
<br>
cd $root/dev; /dev/MAKEDEV generic usema
<br>
cp /etc/passwd /etc/resolve.conf $root/etc

<p>

Then, you can run AOLserver with the -r option as in this example:
 nsd -t nsd.tcl -r $root

<p>

For more information about the nsd command line, see the "AOLserver
Command Line" section.

<p>

 Restricted Content

<p>

Determine whether any of the content available to an AOLserver in a
chroot() environment would be restricted. In general, AOLserver should
be read-only and everything it can read should be world-readable. This
allows the AOLserver administrator to ignore the nsperm module
altogether.

<p>

If any of the content available to AOLserver is restricted, the
AOLserver administrator needs to define the appropriate permissions
with the nsperm module. The administrator should be very clear which
areas are blocked off and know both the URL and METHOD for the
restricted areas.

<p>

It is preferable to allow the GET method for all URLs and have nothing
restricted accessible through AOLserver.

<p>

 Tcl Library

<p>

Limit the available Tcl functions to just those functions that are
necessary by that particular AOLserver installation. Purge the Tcl
library of unnecessary functions. For example, if the site doesn't
send e-mail, remove the ns_sendmail procedures.

<p>

Some potentially unsafe commands you may want to consider removing
are:

<p>

<br>
  * File system related functions, such as open, read, and puts

<br>
  * The AOLserver ns_sock* Tcl functions

<br>
  * The Tcl 7.6 socket routines

<br>
  * The exec command

<br>
  * The file command, or at least the delete and rename features

<br>
  * The exit command

<p>

This code example disables the open command:
<p>
<pre>
static int
AddCmds(Tcl_Interp, void *arg) {
    Tcl_CreateCommand(interp, "open", BadCmd, NULL, NULL);
    return TCL_OK;
}

static int
BadCmd(ClientData dummy, Tcl_Interp *interp, int argc, char **argv) {
    Tcl_AppendResult(interp, "disabled command: ", argv[0], NULL);
    return TCL_ERROR;
}
</pre>

<p>

 Database Access

<p>

Database access should be restricted with read-only logins to the
server and queries through stored procedures. Stored procedure
capabilities were added to AOLserver in Version 3.0. Also, all ad hoc
database forms and system catalog query functions were removed in
Version 3.0.

<p>

For more information about the Tcl functions for stored procedures,
see the "ns_db" section of the AOLserver Tcl Developer's Guide. For
more information about the C functions for stored procedures, see the
"Stored Procedure Functions" section of the AOLserver C Developer's
Guide.

<p>

 Control Port Interface

<p>

The control port interface should not be used unless absolutely
necessary. Although it is more secure than the /NS/Admin interface
from earlier AOLserver versions because it only allows connections
from localhost, it still poses a risk potential.

<p>

For more information about the control port interface, see the
"AOLserver's Control Port Interface" section.


<p>

</body>
</html>