advertisement

Protecting Plone from the Big, Bad Internet

50 %
50 %
advertisement
Information about Protecting Plone from the Big, Bad Internet
Technology

Published on October 13, 2008

Author: ErikRose

Source: slideshare.net

Description

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.
advertisement

Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University

<SteveM>

CVE Vulnerability Records

CVE Vulnerability Records Common Vulnerabilities & Exposures

CVE Vulnerability Records Common Vulnerabilities & Exposures

CVE Vulnerability Records Common Vulnerabilities & Exposures

So, why worry?

<Basics>

Defense in Depth

Defense in Depth

Single Wall Defense

Maginot Line

Maginot Line

Maginot Line

Maginot Line

Maginot Line

Failure of single wall defense

Failure of single wall defense

Proposition: Zope is our Maginot Line

CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.

Principle of Least Privileges

Principle of Least Privileges

Principle of Least Privileges

</Basics>

Daemon Security

No Rights

Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases

Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged

Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged

<Implementation>

<Implementation> <File & Process>

Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone

Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc

Why is that so bad?

Why is that so bad? Daemon can write into its own code space.

A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone

Making it happen

Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler

Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo

Windows

</File & Process>

</File & Process> </Implementation>

</File & Process> </Implementation> </SteveM>

<Port Security>

Reverse Proxy Evil, Monstrous Zope Internet

Reverse Proxy Evil, Monstrous Zope Internet

Reverse Proxy Evil, Monstrous Apache Zope Internet

Reverse Proxy Evil, SSL Monstrous Apache Zope Internet

Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet

Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1

Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1

Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet

Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet

Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet

Untrusted Local Users Zope ZEO (81) (8100) Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT

Privileged Ports Zope ZEO (8080) (8100) Your Server

Privileged Ports Zope ZEO (8080) (8100) Your Server

Privileged Ports ZEO (8100) Your Server

Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server

Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server

Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65

</Port Security> <Within Zope>

PluggableAuthService (PAS)

WebServerAuth a PluggableAuthService plugin

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)

WebServerAuth a PluggableAuthService plugin

WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user

WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>

WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>

LDAP

LDAP PloneLDAP + plone.app.ldap

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy

Writing PAS Plugins

Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages

Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas

Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV

References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope

WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Plone | LinkedIn

View 6778 Plone posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Read more

Is Tumblr Protecting Its Users From the Big, Bad Internet ...

Is Tumblr Protecting Its Users From the Big, Bad Internet? BY Nick Judd | Tuesday, January 3 2012 . Tumblr ... would be bad for the Internet. ...
Read more

Plone 2.1 — Plone CMS: Open Source Content Management

PLIP 24 form unload protection takes ... Described the pitfalls for Internet Explorer "here":http://plone.org/documentation/how ... Gives a big speed ...
Read more

EFF's Top 12 Ways to Protect Your Online Privacy ...

EFF's Top 12 Ways to Protect Your Online Privacy . Related Issues ... "Internet defaults" programs on ... employees have little if any privacy protection
Read more

ProtectKids.com - Making the Internet Safer for Children ...

Kids Online: Protecting Your Children in Cyberspace. Protectkids.com is the Internet safety website of Enough.org. Site Map:
Read more

Quotes About Protection (286 quotes) - Share Book ...

286 quotes have been tagged as protection: Mae West: ‘Every man I meet wants to protect me. ... “If the bad man comes,” Fletcher responded, ...
Read more

Safe Internet Use | Get Safe Online

Safe Internet Use; Safe Linux Use; Safe Mac Use; Searching the Internet; Skype & Internet Calls; Software Updates; ... Protecting Your Computer; Safe ...
Read more

K9 Web Protection - Free Internet Filter and Parental ...

K9 Web Protection is a free Internet filtering and malware defense for your home computer. K9 puts YOU in control so you can protect your computer ...
Read more

Save the Internet | Free Press

The SUMMER TO SAVE THE INTERNET: ... Big rallies are held in New ... and protecting our Internet freedom is essential to safeguarding our rights to ...
Read more