Recently I've been helping with locking down Debian server for a friend to allow many untrusted users and websites to be let loose on the system without worrying too much about a system compromise and without the overhead of virtual servers.
Currently our software stack consists of:
- grsecurity for system & chroot hardening
- Global Apache instance
- Multiple Debian instances in /var/chroot created with debootstrap
- pam_chroot to jail individual users
- SuPHP (with chroot support)
Cron Support
Because we'd like users to have everything they'd normally use that means cron is a must-have feature, Vixie cron uses PAM on Debian so it can take advantage of individual user chroot preferences by default.
The only problem was: How do chrooted users edit their crontab? Simple, just bind mount the global cron spool inside each of the chroots, and we can avoid information leakage with correct directory permissions.
Currently each of the chroot environments has mounts setup which look like this:
proc-chroot /var/chroot/www/proc proc defaults 0 0 devpts-chroot /var/chroot/www/dev/pts devpts defaults 0 0 /var/spool/cron /var/chroot/www/var/spool/cron none bind 0 0
SuPHP
My only major gripe with SuPHP (and others like cgiwrap) is that they don't support PAM (or pam_chroot) which makes my life as a sysadmin much more difficult.
Our hacky workaround for this is to have one specific chroot for websites for PHP and CGI scripts to execute in, but I'll probably end up adding PAM support to cgiwrap and SuPHP out of sheer frustration with their inflexibility as it stands.
Automation
Unfortunately all this requires a few extra steps when creating the user to keep the system secure, and then a few more things to jail the new user in a chroot.
I'll be providing my scripts later on which move system users in and out of chroot environments while keeping the system regular with a helping of symlinks and tweaks.
Limited Directory Accounts
Sometimes we're required to setup new users with access to only a single directory (e.g. the templates directory of a web application) and this presents a problem: setup a full chroot for that user with only the required directory access? That's often way too much effort and overhead.
As a result we're still running a legacy FTP daemon which allows virtual chroot to a specific directory on a per-user or per-group basis.
Things To Do?
Other than PAM support for SuPHP and cgiwrap, the disk space overhead for each chroot is around 180mb which at any rate is quite costly. Ideally I would like to bring this down to under 5 MiB with the help of UnionFS or AuFS, this would also reduce the management overhead allowing us to maintain a single secure base chroot with possibly hundreds of others based on that.
Sending local e-mail from the main server to chrooted users works (when using the ~/Maildir format), however it's currently not possible to send e-mail from within a chroot until we have something like ssmtp setup to do local proxying to the main Exim instance.
Leave a Reply