Mirroring NetBSD/Server Security Review

From NetBSD Wiki

Jump to: navigation, search

Security Review

User/Group: cvsupin UID: 501 GID: 501 - Valid homedir - No shell 

cvsupin::501:501::0:0:CVSUP Client In:/home/cvsupin:/sbin/nologin

Group contains only itself: 

 cvsupin:*:501:cvsupin

User/Group: cvsup

UID: 500 GID: 500 - No Directory - No Shell 

cvsup::500:500::0:0:CVSUP Server:/nonexistent:/sbin/nologin

Group contain Output protocol users: 

cvsup:*:500:ftp,anoncvs,cvsup,www,nobody

User/Group: anoncvs 

anoncvs:*************:502:502::0:0::/:/usr/pkg/cf/anoncvssh

- Directory = / (anoncvsssh.c expects this) - Shell = chroot shell

Group cotains itself: 

anoncvs:*:502:anoncvs

--- Input process ---

cvsup update runs as user "cvsupin" -- writes file/group perms as "cvsupin/cvsupin" recursively

rsync runs as root w/ --no-g --no-o; current files are either owned by root or cvsupin

Export filesystems are mounted noexec/nosuid (no 4000 mode files -- only within release tarballs?)

NOTE: AnoncCVS seemed to need to write lock/state files during client reads (anoncvs needed write access to cvsupin owned dirs?)

--- Output Daemons ---

HTTP

Apache runs as www user: 

root      2425  0.0  0.8  4348  4028 ?     Ss   31Dec08  1:41.96 /usr/pkg/sbin/httpd -k start  
www       2970  0.0  0.4  4472  2116 ?     I     2:00PM  0:00.05 /usr/pkg/sbin/httpd -k start

FTP

ProFTPD -- runs as chroot(2): Master process runs as nobody user: 

nobody     765  0.0  0.3  1180  1420 ?     Ss   31Dec08  1:49.64 proftpd: proftpd: (accepting connections)

Client connections run as ftp user: 

ftp       6322  0.0  0.4  1192  2048 ?     S     8:45PM  0:00.01 proftpd: proftpd: ftp - localhost: anonymous/seklecki@: IDLE (proftpd)

RSYNC

Master process runs as root: 

root     13639  0.0  0.1   432   388 ?     Ss   13Feb09  0:02.98 /usr/pkg/bin/rsync --daemon

Client process runs as cvsup user: 

cvsup     8693 13.2  0.7 27836  3684 ?     D     8:51PM  0:00.48 /usr/pkg/bin/rsync --daemon

CVSUPD

Main processes and daemon seem to run as cvsup user per pkg/40706 rc.d script example: 

cvsup    10938  0.0  0.2  1300  1068 ?     Is    9:01PM  0:00.02 /usr/pkg/sbin/cvsupd -e -C 8 -l @local0 -b /usr/pkg/etc/cvsup -s sup-client-scan-delta

AnonCVS

- Root sshd(8) process runs as root. - Client processes run as anoncvs user: 

anoncvs  12525 10.5  0.4  1016  2040 ?     S     9:11PM  0:00.68 cvs server 
anoncvs   4902  6.8  1.7  6748  8808 ?     S     9:11PM  0:00.48 sshd: anoncvs@notty 
anoncvs   1595  2.1  1.1  3816  5556 ?     Ss    9:11PM  0:00.21 cvs server 
root      2249  0.0  0.6   412  3260 ?     Ss    9:11PM  0:00.02 sshd: anoncvs [priv] 
root      1431  0.0  0.0   288     4 ?     IWs  31Dec08  3:23.71 /usr/sbin/sshd

Security notes to check:

  • Can the input rsync process run as the cvsupin user?
    • Initial test on NetBSD confirms yes
  • Should we recompile anoncvsssh to chroot() in /export0/nbsdcvs/ and /export1/fbsdcvs/ respectively?
  • Alternatively, run a chroot(8) version of sshd(8) in each of those prefixes?
  • Alternatively, should we run OpenCVS?
Retrieved from "http://wiki.netbsd.se/Mirroring_NetBSD/Server_Security_Review"
Personal tools