ACLs on ZFS? Preventing "all pass" for user www

patpro

patpro

Hi all,

It can happen that a web site is compromised, then the apache user (www) is exploited by the hacker to perform other tasks on the server.
In order to slow the blackhat down, I would like to prevent www to access large portion of the filesystem. I don't want to setup a Jail, nor a chroot.
I'm running everything on ZFS, but it looks like ACLs are not available yet, on FreeBSD's ZFS…

I've ran this command on my server:

Code: 
sudo -u www find / -ls

just to find out what files/directories www can list. I've got a 1631555 lines long output to read now. Of course it does not mean that www can actually read the files, but it's still information.

Any idea?
 
patpro said:
It can happen that a web site is compromised, then the apache user (www) is exploited by the hacker to perform other tasks on the server.
In order to slow the blackhat down, I would like to prevent www to access large portion of the filesystem. I don't want to setup a Jail, nor a chroot.
Click to expand...
Not really much point to that, it more or less boils down to security through obscurity.

But what would work is limit the places where they can execute code. For example by denying this from within /tmp:

Code: 
breve:/home/peter $ zfs get exec,mountpoint zroot/tmp
NAME       PROPERTY    VALUE       SOURCE
zroot/tmp  exec        off         local
zroot/tmp  mountpoint  /tmp        inherited from zroot
Though I obviously agree that ACL's can be useful in this scenario as well (explicitly denying execute permissions for the www user).
 
ShelLuser said:
Not really much point to that, it more or less boils down to security through obscurity.
Click to expand...

I don't agree here. It's not obscurity, it's just another layer in the security cake (ie. proper filesystem access management). It would not resist a privilege escalation, but it would certainly block a script kiddie whose top skill is to infect web sites with php malware.

And by the way, ACLs are also a nice way to prevent www from running perl, gcc, and any other interpreter/compiler that a hacker could use.
 
You must log in or register to reply here.
Back
Top