Protecting Plone from the Big, Bad Internet

1,770
-1

Published on

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,770
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Protecting Plone from the Big, Bad Internet

  1. 1. Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
  2. 2. <SteveM>
  3. 3. CVE Vulnerability Records
  4. 4. CVE Vulnerability Records Common Vulnerabilities & Exposures
  5. 5. CVE Vulnerability Records Common Vulnerabilities & Exposures
  6. 6. CVE Vulnerability Records Common Vulnerabilities & Exposures
  7. 7. So, why worry?
  8. 8. <Basics>
  9. 9. Defense in Depth
  10. 10. Defense in Depth
  11. 11. Single Wall Defense
  12. 12. Maginot Line
  13. 13. Maginot Line
  14. 14. Maginot Line
  15. 15. Maginot Line
  16. 16. Maginot Line
  17. 17. Failure of single wall defense
  18. 18. Failure of single wall defense
  19. 19. Proposition: Zope is our Maginot Line
  20. 20. CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
  21. 21. Principle of Least Privileges
  22. 22. Principle of Least Privileges
  23. 23. Principle of Least Privileges
  24. 24. </Basics>
  25. 25. Daemon Security
  26. 26. No Rights
  27. 27. Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
  28. 28. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  29. 29. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  30. 30. <Implementation>
  31. 31. <Implementation> <File & Process>
  32. 32. Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
  33. 33. Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
  34. 34. Why is that so bad?
  35. 35. Why is that so bad? Daemon can write into its own code space.
  36. 36. A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
  37. 37. Making it happen
  38. 38. Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
  39. 39. Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
  40. 40. Windows
  41. 41. </File & Process>
  42. 42. </File & Process> </Implementation>
  43. 43. </File & Process> </Implementation> </SteveM>
  44. 44. <Port Security>
  45. 45. Reverse Proxy Evil, Monstrous Zope Internet
  46. 46. Reverse Proxy Evil, Monstrous Zope Internet
  47. 47. Reverse Proxy Evil, Monstrous Apache Zope Internet
  48. 48. Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
  49. 49. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
  50. 50. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  51. 51. Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  52. 52. Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
  53. 53. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  54. 54. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
  55. 55. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  56. 56. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  57. 57. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  58. 58. Untrusted Local Users Zope ZEO (81) (8100) Your Server
  59. 59. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  60. 60. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  61. 61. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  62. 62. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
  63. 63. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  64. 64. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  65. 65. Privileged Ports Zope ZEO (8080) (8100) Your Server
  66. 66. Privileged Ports Zope ZEO (8080) (8100) Your Server
  67. 67. Privileged Ports ZEO (8100) Your Server
  68. 68. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  69. 69. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  70. 70. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
  71. 71. </Port Security> <Within Zope>
  72. 72. PluggableAuthService (PAS)
  73. 73. WebServerAuth a PluggableAuthService plugin
  74. 74. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
  75. 75. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
  76. 76. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
  77. 77. WebServerAuth a PluggableAuthService plugin
  78. 78. WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
  79. 79. WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
  80. 80. WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
  81. 81. LDAP
  82. 82. LDAP PloneLDAP + plone.app.ldap
  83. 83. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP
  84. 84. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
  85. 85. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
  86. 86. Writing PAS Plugins
  87. 87. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
  88. 88. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  89. 89. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  90. 90. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  91. 91. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
  92. 92. Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
  93. 93. References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
  94. 94. WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×