OPS-11: OpenEdge ® and OS Security Gus Björklund Wizard [email protected].
-
Upload
oswin-cross -
Category
Documents
-
view
231 -
download
1
Transcript of OPS-11: OpenEdge ® and OS Security Gus Björklund Wizard [email protected].
© 2008 Progress Software Corporation2
Please interrupt if you have a question.
© 2008 Progress Software Corporation3
“Be brief, for no discoursecan please when too long.”
Miguel de Cervantes
© 2008 Progress Software Corporation4
“When I try to be brief,I become obscure.”
Quintus Horatius Flaccus
© 2008 Progress Software Corporation5
Topics
Background Starting a Database Server Connecting To a Database Stopping a Database Database Utilities Advice
© 2008 Progress Software Corporation6
Background
© 2008 Progress Software Corporation7
Basic Database Environment
db files
shared memory space
dbserver(s)
otherfiles
server
client
4GL code
4gl client
4GL code
4gl client
4GL code
jvm
java codejdbc driver
TCP/IP
remote 4GL apps
remote Java appsself-serving 4GL apps
server machine
© 2008 Progress Software Corporation8
OpenEdge and OS Security
The OpenEdge RDBMS is architected, designed, and implemented to be installed, started, run, and stopped under the system
administrator’s account
Security best practices recommend NOT running an application under the system administrator’s account.
OpenEdge 4GL applications can and should be run under normal user accounts.
© 2008 Progress Software Corporation9
800 lb gorilla
Why Run As The System Administrator
Can control any process (stop, owner, … )
Authenticate to user accounts
Ignore resource access controls
Ignore process limits
Ignore system limits
The administrator is the 800 lb gorilla in the forest
© 2008 Progress Software Corporation10
Why Not to Run As the System Administrator
IT denies access to administrator account
Prohibited by company policies or standards
A non-auditable group account
It is dangerous …• Bypass system protections• Provides limitless hacking opportunities
Sometimes the forest cannot support an 800 lb gorilla
© 2008 Progress Software Corporation11
Comparing UNIX & Windows Administrators
S-1-5-32-544(Administrators)
system-dependentA member of the administrator’s group
member of groupS-1-5-32-544
user-id = 0An administrator when
SID = S-1-5-18(LOCAL_SYSTEM)
N/AThe built-in1 system account when
SID =S-1-5-domain-500(Administrator)
uid = 0(superuser2)
The administrator when:
WindowsUNIX
You are:
1. Cannot log into built-in Windows accounts
2. superuser is the “root” account on Mac OS X, Linux, and UNIX
© 2008 Progress Software Corporation12
UNIX and Linux user ID’s
Each process has 6 id’s• real user id real group id
• effective user id effective group id
• saved user id saved group id
Child (fork’ed) processes inherit these
© 2008 Progress Software Corporation13
UNIX/Linux exec()
exec() of a program uses process’ 6 id’s UNLESS• setuid bit of program file is on
– effective and saved uid set to that of file owner• setgid bit of program file is on
– effective and saved gid set to that of file group
Program executes with different privileges than the invoking user• NOT the user’s real or effective uid/gid• could be higher or lower !
© 2008 Progress Software Corporation14
UNIX, Linux authorisation and access control
root (superuser), users, groups no-login accounts for daemons, etc. file and directory
• protection masks (rwx for owner, group, other)• access control lists
Login authentication (PAM)• user name, password or others• NIS, LDAP, SecurId, Kerberos, others (custom too)
Limits on• processes, subprocesses• memory (address space, paging space, shared mem)• file handles, sockets, etc.
© 2008 Progress Software Corporation15
Windows authorisation and access control
Same as UNIX, plus• Login authentication
– User-name, Windows domain, password– Active Directory, SAM, others
• Registry Access Control Lists (ACL)• Windows Services privileges• Windows Services – desktop restrictions
Also, like UNIX, limits on file handles, memory,processes, etc.
© 2008 Progress Software Corporation16
Comparing Access Control Systems
Registry ACLs-----Windows registry
Object ACLsowner, group, other read/write
Shared memory
File system ACLsowner, group, other rwx permissions, and ACLs
File system
Service ACLsdaemonWindows service
WindowsUNIX
UNIX daemons and Windows servicesare essentially the same thing
© 2008 Progress Software Corporation17
UNIX File & Directory access
File Directory
Set user IDSet group ID
Set effective user IDSet effective group ID
No effectset new file group ID
User readUser writeUser Execute
User readUser writeUser execute
User read directoryUser remove/create filesUser search in PATH
Group readGroup writeGroup Execute
Group readGroup writeGroup execute
Group read directoryGroup remove/create filesGroup search in PATH
Other readOther writeOther Execute
Others readOthers writeOthers execute
Others readOthers writeOthers execute
© 2008 Progress Software Corporation18
Comparing UNIX & Windows File Access
merged user & group file permissions
process effective
group id
Group readGroup writeGroup execute
owner file permissionsprocess effective
user id
User readUser writeUser execute
N/AN/AN/A
Others readOthers writeOthers execute
WindowsUNIX
© 2008 Progress Software Corporation19
UNIX/Linux Interactive User Login Example
System Library /etc/nsswitch.conf
NISdatabases
passwd/<shadow>
PAM Library
/etc/pam.conf
/bin/login
Local OS LDAP RSA
© 2008 Progress Software Corporation20
Windows Login
© 2008 Progress Software Corporation21
Windoze Interactive User Login Example
System Library Registry
ActiveDirectory
SAM
GINA .dll
Winlogin
Local OS LDAP RSA
© 2008 Progress Software Corporation22
Starting a Database Server
(running _mprosrv)
© 2008 Progress Software Corporation23
OpenEdge Admin Server
System Library nsswitchconfiguration
NISdatabases
passwd/<shadow>
jvmStart
AdminServer (user connection)
[Active Directory] [SAM]
[Registry]
_proapsv/_progress
(AppServer)(WebSpeed)
creates
_mprosrvcreates
ubroker(java)
creates
© 2008 Progress Software Corporation25
Database Server Has To Be Able To
Load shared libraries Open database files (ai, bi, and data extents) Create or open database .lg file Create shared memory and semaphores Raise its ulimit, ignore process size limit Read, write, expand the files Create and use sockets Spawn subprocesses (servers) Send signals to all connected processes
© 2008 Progress Software Corporation26
Installed OpenEdge programs
OpenEdge installer is run as root• executable files are owned by root
• Installer turns setuid bit ON for many programs
• Few actually require it !!!
executing a setuid root program such as _mprosrv or _progres causes it tostart executing with
root’s privileges (uid 0, group 0)
© 2008 Progress Software Corporation27
Starting the Database Server:
_mprosrvreal uid: 123effective uid: 0real gid: 678effective gid: 0
_mprosrv
set user id: 0set group id: 0
user shellreal uid: 123effective uid: 123real gid: 678effective gid: 678
OS
Sys
tem
Lib
rary
© 2008 Progress Software Corporation28
But: IF _mprosrv has
Instead of default setuid root:• change to setuid progress (user 233)
• change to setgid dbadmin (group 543)
© 2008 Progress Software Corporation29
Starting the Database Server:
_mprosrvreal uid: 123effective uid: 233real gid: 678effective gid: 543
_mprosrv
set user-id: 233set group-id: 543
user shellreal uid: 123effective uid: 123real gid: 678effective gid: 678
OS
Sys
tem
Lib
rary
when NOT setuid root
© 2008 Progress Software Corporation30
Starting the Database Server:Database File Access Controls
OS Security System
Database Files
user-access(123)
group-access(555)
others-access
user readuser write
user execute group readgroup write
group execute other readother write
other execute
UNIX WindowsACL: allow
o:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
_mprosrveffective uid: 123effective gid: 543
© 2008 Progress Software Corporation31
Starting the Database Server:Buffer-pool Access Controls
OS Security System
Shared-memory
user-access(123)
group-access(555)
user readuser write
group readgroup write
UNIXWindows
ACL: allowo:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
_mprosrv
real uid: 123.db owner 123
group 555
© 2008 Progress Software Corporation32
Starting the Database Server:Changing System File Limits
OS System Library
_mprosrv
hard file-size x 2GBhard number-files y …
.db
.db
.db
file-size
number-files
system ulimitshard file-sizehard number-files…
© 2008 Progress Software Corporation33
Connecting To a Database
(running _progres
self-serving on local system)
© 2008 Progress Software Corporation34
User has to be able to
Execute _progres (or _prowin) Run OpenEdge 4GL programs Interact with 4GL programs Update data in the database
• via 4GL programs only
print, email, etc. depending on application
© 2008 Progress Software Corporation35
Users should NOT be able to
Modify any executables or shared libraries Read, copy, or modify any production database files Run any database utilities Start or stop database servers Read or modify other users files Change configuration files Sometimes we want:
• no access to shell or other programs,• _progres started automatically when user logs in to
system Touch database server machines !
© 2008 Progress Software Corporation36
Disaster
© 2008 Progress Software Corporation37
Self-serving client Has To Be Able To
Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc.
© 2008 Progress Software Corporation38
Starting Self-service ABL Clients:Connecting to the Buffer-pool
OS Security System
Shared-memory
user-access(123)
group-access(555)
_progres
effective uid: 0effective gid: 0
© 2008 Progress Software Corporation39
_progresreal uid: 245effective uid: 0 245real gid: 597effective gid: 0
Starting the ABL Clients: Removing Privileges
Lowers uid after startup parameters executed
Cannot re-set to a more privileged state
Does not lower group-id
[Does not remove privileges or ACEs]
OpenEdge _progres:
© 2008 Progress Software Corporation40
Connecting To a Database
(running _progres
with network connection)
© 2008 Progress Software Corporation41
User has to be able to
Execute _progres Run OpenEdge 4GL programs Interact with 4GL programs Communicate with server over network print, email, etc. depending on application
© 2008 Progress Software Corporation42
Network Client Has To Be Able To
Load shared libraries Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc.
NO special privileges required
© 2008 Progress Software Corporation43
What about AppServers,
and WebSpeed® ?
© 2008 Progress Software Corporation44
Shutting Down A Database
(running _mprshut)
© 2008 Progress Software Corporation45
Stopping The Database
_mprosrvreal uid: 123effective uid: 0real gid: 678effective gid: 0
_mprshutreal uid: 123effective uid: 0real gid: 678effective gid: 0
OS
Sys
tem
Lib
rary
Signal Signal
Ope
nEdg
e
IPC IPC
eq
© 2008 Progress Software Corporation46
About Database Utilities
© 2008 Progress Software Corporation47
Database utilities need to be able to
Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Create and delete database files Create temporary files
© 2008 Progress Software Corporation48
Offline Database Utilities
Many utilities can run in single-user mode(and some have to)
(e.g. database is offline)• Index rebuild
• Offline backup
• procopy
• etc.
Connect same way as single-user _progres
© 2008 Progress Software Corporation49
Online Database Utilities
Many utilities can be run online (e.g. database is in multi-user mode)
• dbanalysis• prostrct add• dbtool• online backup• etc.
Connect same way as self-serving _progress
© 2008 Progress Software Corporation50
Advice
© 2008 Progress Software Corporation51
Advice
Keep things simple Don’t mix AdminServer & command-line
database utilities Do administration locally to avoid user
authentication issues• OR: Use ssh for remote access
(putty on Windows)
Start with nothing is allowed
© 2008 Progress Software Corporation52
Advice: Break the Administrator Habit
Develop access control plan
Know requirement for bypassing system limits
Use your own user accounts and groups
Make maximum use of group level access
Reserve root access to install, updates & emergencies
Use the “sudo” utility
© 2008 Progress Software Corporation53
Advice: Learn sudo
sudo can be used to• allow limited root access• allow limited access to other accounts• limit access to specific commands
sudo can• log usage• log attempted usage• email when unauthorised attempts are made
config file: /etc/sudoers Read the man page Example:
sudo more /etc/sudoers
© 2008 Progress Software Corporation54
Best Practices
Start with changing file & group ownership• Take away group and world access from
– database files– database directories– backup files and directories– archived ai files and directories
Take away world xrw from database utilities Create a database admin group
• Add set-group-id to $DLC/bin as appropriate
© 2008 Progress Software Corporation55
In Summary
Server security requirements are increasing
OpenEdge security depends on the OS security system
Administrator requirements are few,
and there are alternativemethods
© 2008 Progress Software Corporation56
OS SecurityReferences:
NSA Guides:http://www.nsa.gov/snac/
Securing RedHat Linuxhttp://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf
Securing Windows Server 2003http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/win2003/MSCG-001R-2003.pdf
Questions