Your SlideShare is downloading. ×
0
Protecting Plone From
 The Big, Bad Internet
                   Steve McMahon
                  Reid-McMahon, LLC


      ...
<SteveM>
CVE Vulnerability Records
CVE Vulnerability Records




Common Vulnerabilities & Exposures
CVE Vulnerability Records




Common Vulnerabilities & Exposures
CVE Vulnerability Records




Common Vulnerabilities & Exposures
So, why
worry?
<Basics>
Defense in Depth
Defense in Depth
Single Wall Defense
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Failure of single wall defense
Failure of single wall defense
Proposition:
Zope is our Maginot Line
CVE-2007-5741
                                  Original release date:11/07/2007
                                         ...
Principle of Least Privileges
Principle of Least Privileges
Principle of Least Privileges
</Basics>
Daemon Security
No Rights
Bad Example: Sendmail (1990s)




    from network               Sendmail*          to network
                           ...
Good Example: Postfix
Compartmentalization

                      smtp                         smtp
                       ...
Good Example: Postfix
Compartmentalization

                      smtp                         smtp
                       ...
<Implementation>
<Implementation>
   <File & Process>
Typical Installation


               Process UID:
                  Plone




          }
  ./var
./logs           File O...
Typical Installation


                Process UID:
                   Plone




           }
   ./var
 ./logs           F...
Why is that so bad?
Why is that so bad?




Daemon can write
 into its own code
            space.
A Better Way


                              Process UID:
                                 Plone




./parts
  *.py*   }  ...
Making it happen
Making it happen


Python-2.4/lib/python2.4/compileall.py

Via buildout:

[precompile]
recipe = plone.recipe.precompiler
Even Better: ZEO


    Process UID:                 Process UID:
       zclient                       zeo




./client-log...
Windows
</File & Process>
</File & Process>
</Implementation>
</File & Process>
  </Implementation>
</SteveM>
<Port Security>
Reverse Proxy


   Evil,
Monstrous                   Zope
 Internet
Reverse Proxy


   Evil,
Monstrous                   Zope
 Internet
Reverse Proxy


   Evil,
Monstrous         Apache    Zope
 Internet
Reverse Proxy


   Evil,      SSL
Monstrous           Apache   Zope
 Internet
Listen Locally
                       8080




   Evil,      SSL
Monstrous           Apache    Zope
 Internet
Listen Locally
                          8080




   Evil,      SSL
Monstrous             Apache        Zope
 Internet



...
Listen Locally


   Evil,      SSL
Monstrous             Apache        Zope
 Internet




             zope.conf:
        ...
Listen Locally


      Evil,      SSL
   Monstrous           Apache           Zope
    Internet




ssh -L 3333:127.0.0.1:...
Listen Locally
                             ZEO




   Evil,      SSL
Monstrous           Apache   Zope
 Internet
Listen Locally
                             ZEO
                      8100



   Evil,      SSL
Monstrous           Apache...
Listen Locally
                                      ZEO
                           8100



   Evil,      SSL
Monstrous   ...
Listen Locally
                                      ZEO




   Evil,      SSL
Monstrous                Apache       Zope
...
Listen Locally
                             ZEO




   Evil,      SSL
Monstrous           Apache   Zope
 Internet
Untrusted Local Users
  Zope                  ZEO
  (81)                 (8100)



         Your Server
Untrusted Local Users
  Zope                  ZEO
  (81)                 (8100)
           Evil Dude


         Your Server
Untrusted Local Users
  Zope                  ZEO
  (81)                 (8100)
           Evil Dude


         Your Server
Untrusted Local Users
  Zope                  ZEO
  (81)                 (8100)
           Evil Dude


         Your Server
Untrusted Local Users
       Zope                            ZEO
       (81)                           (8100)
            ...
Untrusted Local Users
       Zope                            ZEO
       (81)                           (8100)
            ...
Untrusted Local Users
       Zope                            ZEO
       (81)                           (8100)
            ...
Privileged Ports
 Zope                   ZEO
(8080)                 (8100)



         Your Server
Privileged Ports
 Zope                   ZEO
(8080)                 (8100)



         Your Server
Privileged Ports
                     ZEO
                    (8100)



      Your Server
Privileged Ports
      Evil Zope      ZEO
     (also 8080)    (8100)
        Evil Dude


      Your Server
Privileged Ports
 Evil Zope                   ZEO
(also 8080)                 (8100)
                Evil Dude


         ...
Privileged Ports
                  Evil Zope                                                ZEO
                 (also 808...
</Port Security>
<Within Zope>
PluggableAuthService (PAS)
WebServerAuth
a PluggableAuthService plugin
WebServerAuth
   a PluggableAuthService plugin


Redirects to HTTPS
(Challenge)
WebServerAuth
   a PluggableAuthService plugin


Redirects to HTTPS
(Challenge)

Makes Zope believe the username header
(E...
WebServerAuth
   a PluggableAuthService plugin


Redirects to HTTPS
(Challenge)

Makes Zope believe the username header
(E...
WebServerAuth
a PluggableAuthService plugin
WebServerAuth
                a PluggableAuthService plugin


<VirtualHost *:443>
  ServerName www.example.com

  # Prompt...
WebServerAuth
                a PluggableAuthService plugin

    # Put the username (stored below) into the HTTP_X_REMOTE_...
WebServerAuth
                a PluggableAuthService plugin


<VirtualHost *:80>
  ...
  RequestHeader unset X_REMOTE_USER...
LDAP
LDAP
PloneLDAP + plone.app.ldap
LDAP
PloneLDAP + plone.app.ldap




Users & groups in LDAP
LDAP
PloneLDAP + plone.app.ldap




Users & groups in LDAP
Create & delete through Plone
LDAP
PloneLDAP + plone.app.ldap




Users & groups in LDAP
Create & delete through Plone
Relax—written by Wiggy
Writing PAS Plugins
Writing PAS Plugins
PAS Reference
Manual
http://plone.org/documentation/
manual/pas-reference-manual/
referencemanual-all-...
Writing PAS Plugins
PAS Reference
Manual
http://plone.org/documentation/
manual/pas-reference-manual/
referencemanual-all-...
Writing PAS Plugins
PAS Reference                     PASPlugins folder
Manual                            https://svn.plon...
Writing PAS Plugins
PAS Reference                     PASPlugins folder
Manual                            https://svn.plon...
Writing PAS Plugins
PAS Reference                     PASPlugins folder
Manual                            https://svn.plon...
Questions?
       Steve McMahon                                              Erik Rose
       Steve@dcn.org               ...
References
• Slides: svn checkout https://
  weblion.psu.edu/svn/weblion/users/ewr119/
  ploneSecurityPresentation/Big,%20...
WebServerAuth
Advantages over apachepas + AutoMemberMaker

     Redirects to HTTPS
     No user clutter
     Member and Au...
Protecting Plone from the Big, Bad Internet
Protecting Plone from the Big, Bad Internet
Protecting Plone from the Big, Bad Internet
Upcoming SlideShare
Loading in...5
×

Protecting Plone from the Big, Bad Internet

1,697

Published on

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,697
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Protecting Plone from the Big, Bad Internet"

  1. 1. Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
  2. 2. <SteveM>
  3. 3. CVE Vulnerability Records
  4. 4. CVE Vulnerability Records Common Vulnerabilities & Exposures
  5. 5. CVE Vulnerability Records Common Vulnerabilities & Exposures
  6. 6. CVE Vulnerability Records Common Vulnerabilities & Exposures
  7. 7. So, why worry?
  8. 8. <Basics>
  9. 9. Defense in Depth
  10. 10. Defense in Depth
  11. 11. Single Wall Defense
  12. 12. Maginot Line
  13. 13. Maginot Line
  14. 14. Maginot Line
  15. 15. Maginot Line
  16. 16. Maginot Line
  17. 17. Failure of single wall defense
  18. 18. Failure of single wall defense
  19. 19. Proposition: Zope is our Maginot Line
  20. 20. CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
  21. 21. Principle of Least Privileges
  22. 22. Principle of Least Privileges
  23. 23. Principle of Least Privileges
  24. 24. </Basics>
  25. 25. Daemon Security
  26. 26. No Rights
  27. 27. Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
  28. 28. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  29. 29. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  30. 30. <Implementation>
  31. 31. <Implementation> <File & Process>
  32. 32. Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
  33. 33. Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
  34. 34. Why is that so bad?
  35. 35. Why is that so bad? Daemon can write into its own code space.
  36. 36. A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
  37. 37. Making it happen
  38. 38. Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
  39. 39. Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
  40. 40. Windows
  41. 41. </File & Process>
  42. 42. </File & Process> </Implementation>
  43. 43. </File & Process> </Implementation> </SteveM>
  44. 44. <Port Security>
  45. 45. Reverse Proxy Evil, Monstrous Zope Internet
  46. 46. Reverse Proxy Evil, Monstrous Zope Internet
  47. 47. Reverse Proxy Evil, Monstrous Apache Zope Internet
  48. 48. Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
  49. 49. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
  50. 50. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  51. 51. Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  52. 52. Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
  53. 53. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  54. 54. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
  55. 55. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  56. 56. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  57. 57. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  58. 58. Untrusted Local Users Zope ZEO (81) (8100) Your Server
  59. 59. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  60. 60. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  61. 61. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  62. 62. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
  63. 63. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  64. 64. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  65. 65. Privileged Ports Zope ZEO (8080) (8100) Your Server
  66. 66. Privileged Ports Zope ZEO (8080) (8100) Your Server
  67. 67. Privileged Ports ZEO (8100) Your Server
  68. 68. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  69. 69. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  70. 70. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
  71. 71. </Port Security> <Within Zope>
  72. 72. PluggableAuthService (PAS)
  73. 73. WebServerAuth a PluggableAuthService plugin
  74. 74. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
  75. 75. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
  76. 76. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
  77. 77. WebServerAuth a PluggableAuthService plugin
  78. 78. WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
  79. 79. WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
  80. 80. WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
  81. 81. LDAP
  82. 82. LDAP PloneLDAP + plone.app.ldap
  83. 83. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP
  84. 84. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
  85. 85. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
  86. 86. Writing PAS Plugins
  87. 87. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
  88. 88. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  89. 89. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  90. 90. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  91. 91. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
  92. 92. Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
  93. 93. References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
  94. 94. WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×