OPS-11: OpenEdge ® and OS Security Gus Björklund Wizard [email protected].

OPS-11: OpenEdge® and OS Security

Gus BjörklundWizard

[email protected]

© 2008 Progress Software Corporation2

Please interrupt if you have a question.


“Be brief, for no discoursecan please when too long.”

Miguel de Cervantes


“When I try to be brief,I become obscure.”

Quintus Horatius Flaccus


Topics

Background Starting a Database Server Connecting To a Database Stopping a Database Database Utilities Advice


Background


Basic Database Environment

db files

shared memory space

dbserver(s)

otherfiles

server

client

4GL code

4gl client

4GL code

4gl client

4GL code

jvm

java codejdbc driver

TCP/IP

remote 4GL apps

remote Java appsself-serving 4GL apps

server machine


OpenEdge and OS Security

The OpenEdge RDBMS is architected, designed, and implemented to be installed, started, run, and stopped under the system

administrator’s account

Security best practices recommend NOT running an application under the system administrator’s account.

OpenEdge 4GL applications can and should be run under normal user accounts.


800 lb gorilla

Why Run As The System Administrator

Can control any process (stop, owner, … )

Authenticate to user accounts

Ignore resource access controls

Ignore process limits

Ignore system limits

The administrator is the 800 lb gorilla in the forest


Why Not to Run As the System Administrator

IT denies access to administrator account

Prohibited by company policies or standards

A non-auditable group account

It is dangerous …• Bypass system protections• Provides limitless hacking opportunities

Sometimes the forest cannot support an 800 lb gorilla


Comparing UNIX & Windows Administrators

S-1-5-32-544(Administrators)

system-dependentA member of the administrator’s group

member of groupS-1-5-32-544

user-id = 0An administrator when

SID = S-1-5-18(LOCAL_SYSTEM)

N/AThe built-in1 system account when

SID =S-1-5-domain-500(Administrator)

uid = 0(superuser2)

The administrator when:

WindowsUNIX

You are:

1. Cannot log into built-in Windows accounts

2. superuser is the “root” account on Mac OS X, Linux, and UNIX


UNIX and Linux user ID’s

Each process has 6 id’s• real user id real group id

• effective user id effective group id

• saved user id saved group id

Child (fork’ed) processes inherit these


UNIX/Linux exec()

exec() of a program uses process’ 6 id’s UNLESS• setuid bit of program file is on

– effective and saved uid set to that of file owner• setgid bit of program file is on

– effective and saved gid set to that of file group

Program executes with different privileges than the invoking user• NOT the user’s real or effective uid/gid• could be higher or lower !


UNIX, Linux authorisation and access control

root (superuser), users, groups no-login accounts for daemons, etc. file and directory

• protection masks (rwx for owner, group, other)• access control lists

Login authentication (PAM)• user name, password or others• NIS, LDAP, SecurId, Kerberos, others (custom too)

Limits on• processes, subprocesses• memory (address space, paging space, shared mem)• file handles, sockets, etc.


Windows authorisation and access control

Same as UNIX, plus• Login authentication

– User-name, Windows domain, password– Active Directory, SAM, others

• Registry Access Control Lists (ACL)• Windows Services privileges• Windows Services – desktop restrictions

Also, like UNIX, limits on file handles, memory,processes, etc.


Comparing Access Control Systems

Registry ACLs-----Windows registry

Object ACLsowner, group, other read/write

Shared memory

File system ACLsowner, group, other rwx permissions, and ACLs

File system

Service ACLsdaemonWindows service

WindowsUNIX

UNIX daemons and Windows servicesare essentially the same thing


UNIX File & Directory access

File Directory

Set user IDSet group ID

Set effective user IDSet effective group ID

No effectset new file group ID

User readUser writeUser Execute

User readUser writeUser execute

User read directoryUser remove/create filesUser search in PATH

Group readGroup writeGroup Execute

Group readGroup writeGroup execute

Group read directoryGroup remove/create filesGroup search in PATH

Other readOther writeOther Execute

Others readOthers writeOthers execute



Comparing UNIX & Windows File Access

merged user & group file permissions

process effective

group id

Group readGroup writeGroup execute

owner file permissionsprocess effective

user id

User readUser writeUser execute

N/AN/AN/A


WindowsUNIX


UNIX/Linux Interactive User Login Example

System Library /etc/nsswitch.conf

NISdatabases

passwd/<shadow>

PAM Library

/etc/pam.conf

/bin/login

Local OS LDAP RSA


Windows Login


Windoze Interactive User Login Example

System Library Registry

ActiveDirectory

SAM

GINA .dll

Winlogin

Local OS LDAP RSA


Starting a Database Server

(running _mprosrv)


OpenEdge Admin Server

System Library nsswitchconfiguration

NISdatabases

passwd/<shadow>

jvmStart

AdminServer (user connection)

[Active Directory] [SAM]

[Registry]

_proapsv/_progress

(AppServer)(WebSpeed)

creates

_mprosrvcreates

ubroker(java)

creates


Database Server Has To Be Able To

Load shared libraries Open database files (ai, bi, and data extents) Create or open database .lg file Create shared memory and semaphores Raise its ulimit, ignore process size limit Read, write, expand the files Create and use sockets Spawn subprocesses (servers) Send signals to all connected processes


Installed OpenEdge programs

OpenEdge installer is run as root• executable files are owned by root

• Installer turns setuid bit ON for many programs

• Few actually require it !!!

executing a setuid root program such as _mprosrv or _progres causes it tostart executing with

root’s privileges (uid 0, group 0)


Starting the Database Server:

_mprosrvreal uid: 123effective uid: 0real gid: 678effective gid: 0

_mprosrv

set user id: 0set group id: 0

user shellreal uid: 123effective uid: 123real gid: 678effective gid: 678

OS

Sys

tem

Lib

rary


But: IF _mprosrv has

Instead of default setuid root:• change to setuid progress (user 233)

• change to setgid dbadmin (group 543)


Starting the Database Server:


_mprosrv

set user-id: 233set group-id: 543

user shellreal uid: 123effective uid: 123real gid: 678effective gid: 678

OS

Sys

tem

Lib

rary

when NOT setuid root


Starting the Database Server:Database File Access Controls

OS Security System

Database Files

user-access(123)

group-access(555)

others-access

user readuser write

user execute group readgroup write

group execute other readother write

other execute

UNIX WindowsACL: allow

o:<sid>:<perm…>

g:<sid>:<perm…>

g:<sid>:<perm…>

g:<sid>:<perm…>

_mprosrveffective uid: 123effective gid: 543


Starting the Database Server:Buffer-pool Access Controls

OS Security System

Shared-memory

user-access(123)

group-access(555)

user readuser write

group readgroup write

UNIXWindows

ACL: allowo:<sid>:<rw>

g:<sid>:<rw>

g:<sid>:<rw>

g:<sid>:<rw>

_mprosrv

real uid: 123.db owner 123

group 555


Starting the Database Server:Changing System File Limits

OS System Library

_mprosrv

hard file-size x 2GBhard number-files y …

.db

.db

.db

file-size

number-files

system ulimitshard file-sizehard number-files…


Connecting To a Database

(running _progres

self-serving on local system)


User has to be able to

Execute _progres (or _prowin) Run OpenEdge 4GL programs Interact with 4GL programs Update data in the database

• via 4GL programs only

print, email, etc. depending on application


Users should NOT be able to

Modify any executables or shared libraries Read, copy, or modify any production database files Run any database utilities Start or stop database servers Read or modify other users files Change configuration files Sometimes we want:

• no access to shell or other programs,• _progres started automatically when user logs in to

system Touch database server machines !


Disaster


Self-serving client Has To Be Able To

Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc.


Starting Self-service ABL Clients:Connecting to the Buffer-pool

OS Security System

Shared-memory

user-access(123)

group-access(555)

_progres

effective uid: 0effective gid: 0


_progresreal uid: 245effective uid: 0 245real gid: 597effective gid: 0

Starting the ABL Clients: Removing Privileges

Lowers uid after startup parameters executed

Cannot re-set to a more privileged state

Does not lower group-id

[Does not remove privileges or ACEs]

OpenEdge _progres:


Connecting To a Database

(running _progres

with network connection)


User has to be able to

Execute _progres Run OpenEdge 4GL programs Interact with 4GL programs Communicate with server over network print, email, etc. depending on application


Network Client Has To Be Able To

Load shared libraries Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc.

NO special privileges required


What about AppServers,

and WebSpeed® ?


Shutting Down A Database

(running _mprshut)


Stopping The Database


_mprshutreal uid: 123effective uid: 0real gid: 678effective gid: 0

OS

Sys

tem

Lib

rary

Signal Signal

Ope

nEdg

e

IPC IPC

eq


About Database Utilities


Database utilities need to be able to

Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Create and delete database files Create temporary files


Offline Database Utilities

Many utilities can run in single-user mode(and some have to)

(e.g. database is offline)• Index rebuild

• Offline backup

• procopy

• etc.

Connect same way as single-user _progres


Online Database Utilities

Many utilities can be run online (e.g. database is in multi-user mode)

• dbanalysis• prostrct add• dbtool• online backup• etc.

Connect same way as self-serving _progress


Advice


Advice

Keep things simple Don’t mix AdminServer & command-line

database utilities Do administration locally to avoid user

authentication issues• OR: Use ssh for remote access

(putty on Windows)

Start with nothing is allowed


Advice: Break the Administrator Habit

Develop access control plan

Know requirement for bypassing system limits

Use your own user accounts and groups

Make maximum use of group level access

Reserve root access to install, updates & emergencies

Use the “sudo” utility


Advice: Learn sudo

sudo can be used to• allow limited root access• allow limited access to other accounts• limit access to specific commands

sudo can• log usage• log attempted usage• email when unauthorised attempts are made

config file: /etc/sudoers Read the man page Example:

sudo more /etc/sudoers


Best Practices

Start with changing file & group ownership• Take away group and world access from

– database files– database directories– backup files and directories– archived ai files and directories

Take away world xrw from database utilities Create a database admin group

• Add set-group-id to $DLC/bin as appropriate


In Summary

Server security requirements are increasing

OpenEdge security depends on the OS security system

Administrator requirements are few,

and there are alternativemethods


OS SecurityReferences:

NSA Guides:http://www.nsa.gov/snac/

Securing RedHat Linuxhttp://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf

Securing Windows Server 2003http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/win2003/MSCG-001R-2003.pdf

Questions

OPS-11: OpenEdge ® and OS Security Gus Björklund Wizard [email protected].

Documents

Transcript of OPS-11: OpenEdge ® and OS Security Gus Björklund Wizard [email protected].