[Dev] [servers] User/Group security

Luke Shumaker lukeshu at sbcglobal.net
Mon Nov 7 19:40:53 GMT 2016 

I am in the process of auditing some security stuff on the servers.
Here are some notes I took.

Please comment if you have any insight.

Users:

 - http: The http server (nginx), and nothing else
 - keys: The program that aquires TLS certificates (certbot), and
         nothing else
 - nobody: Someone was too lazy to figure out the proper user to use

Groups:

It is important to understand that fundamentally, a group grants
permission to do something.

 - keys:
    * Grants users permission to read TLS private certificates.
 - http:
    * Grants users permission to invoke Mailman CGI scripts.
    * Probably other things too.
 - wheel:
    * Grants users permission to use `sudo`.
 - systemd-journal:
    * Grants users permission to read the full system journal.
 - log:
    * Grants users permission to read miscellaneous other logs
      (particularly the nginx logs).
 - git:
    * Grants users permission to SSH in to git at .
    * Probably other things too.
 - bzr:
    * Grants users permission to SSH in to bzr at .
    * Probably other things too.

Permissions:

 - Don't go overboard with `chmod o-rwx`.  If a file is :http, it's
   probably readable by litterally the entire Internet.  There's no
   reason it shouldn't be readable by random local users.

   The list of things that shouldn't be world-readable is pretty
   small.

 - Avoid FACLs.  Yes, they are useful.  They are also confusing.
   Don't be clever.

 - The only files that should be owned by user=http are
   `/var/lib/nginx/`, `/var/log/nginx/`, and sockets of daemons (not
   running as `user=http`!) in `/run/`

 - When deciding the owner of files, a good question to ask is "who
   may reasonably be expected to modify these files"?  If the answer
   is "nobody", then the owner should be 'root'.  If the answer is
   anyone else, the owner should be that user.

   * Exception A: SUID programs, obviously.

Stories:

 - On Winston, `/srv/http/winston.parabola.nu/` was owned by
   'lukeshu'.  Some other well-meaning admin `chown -R`ed it to
   http:http, made it non-world-readable, and finally used FACLs to
   give 'lukeshu' read/write access again.  Everything about those
   actions was wrong.  They were probably thinking "leaving these
   owned by a normal user is a bad idea" (false, but we'll get there).
   But, user=http (nginx) should not be modifying the files; chowning
   them to that granted nginx unnecessary privileges, which is bad.
   The files are all served statically over HTTP (except for sysinfo,
   which is a CGI script of no particular secrecy).  That is, the
   entire World Wide Web can read them, so there is no reason that
   local users shouldn't be able to; this just increases difficulty of
   administration and auditing.  As long as the files are readable by
   nginx (umask=0022, yo), they should be owned by who/whatever may
   modify them.  In this case, that happens to be lukeshu.  There is
   nothing wrong with that.

Action items:

 1. On Proton, some files in `/srv/mailman/` are owned by user=http,
    but I'm not sure that they should be.
 2. On Winston, `uwsgi at bzr` runs as uid=http.  This is bad.
 3. On Winston, `uwsgi at multimedia` runs as uid=http.  This is bad.
 4. On Winston, a whole bunch of files are owned by user=http.  This is
    bad.
 5. Answer "Probably other things too" questions above.
    5.a. What privelege is granted such that on Winston, nshd has been
         configured to put hackers into the 'http' group? (this was
         done on July 23rd by coadde)
 6. On Proton, why is nshd not being used?
 7. On Winston, why has parabola-hackers been configured to allow SSH
    to http@ (despite SSH to it being disabled via /usr/bin/nologin)?

--
Happy hacking,
~ Luke Shumaker

More information about the Dev mailing list