Protecting Plone from the Big, Bad Internet
Upcoming SlideShare
Loading in...5
×
 

Protecting Plone from the Big, Bad Internet

on

  • 3,128 views

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Statistics

Views

Total Views
3,128
Slideshare-icon Views on SlideShare
3,018
Embed Views
110

Actions

Likes
4
Downloads
40
Comments
1

5 Embeds 110

http://plone.org 78
http://www.slideshare.net 18
http://ricardorieraantunez.blogspot.com 10
http://ricardorieraantunez.blogspot.com.es 3
http://www.pilotsystems.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Protecting Plone from the Big, Bad Internet Protecting Plone from the Big, Bad Internet Presentation Transcript

    • Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
    • <SteveM>
    • CVE Vulnerability Records
    • CVE Vulnerability Records Common Vulnerabilities & Exposures
    • CVE Vulnerability Records Common Vulnerabilities & Exposures
    • CVE Vulnerability Records Common Vulnerabilities & Exposures
    • So, why worry?
    • <Basics>
    • Defense in Depth
    • Defense in Depth
    • Single Wall Defense
    • Maginot Line
    • Maginot Line
    • Maginot Line
    • Maginot Line
    • Maginot Line
    • Failure of single wall defense
    • Failure of single wall defense
    • Proposition: Zope is our Maginot Line
    • CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
    • Principle of Least Privileges
    • Principle of Least Privileges
    • Principle of Least Privileges
    • </Basics>
    • Daemon Security
    • No Rights
    • Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
    • Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
    • Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
    • <Implementation>
    • <Implementation> <File & Process>
    • Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
    • Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
    • Why is that so bad?
    • Why is that so bad? Daemon can write into its own code space.
    • A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
    • Making it happen
    • Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
    • Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
    • Windows
    • </File & Process>
    • </File & Process> </Implementation>
    • </File & Process> </Implementation> </SteveM>
    • <Port Security>
    • Reverse Proxy Evil, Monstrous Zope Internet
    • Reverse Proxy Evil, Monstrous Zope Internet
    • Reverse Proxy Evil, Monstrous Apache Zope Internet
    • Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
    • Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
    • Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
    • Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
    • Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
    • Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
    • Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
    • Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
    • Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
    • Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
    • Untrusted Local Users Zope ZEO (81) (8100) Your Server
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
    • Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
    • Privileged Ports Zope ZEO (8080) (8100) Your Server
    • Privileged Ports Zope ZEO (8080) (8100) Your Server
    • Privileged Ports ZEO (8100) Your Server
    • Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
    • Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
    • Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
    • </Port Security> <Within Zope>
    • PluggableAuthService (PAS)
    • WebServerAuth a PluggableAuthService plugin
    • WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
    • WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
    • WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
    • WebServerAuth a PluggableAuthService plugin
    • WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
    • WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
    • WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
    • LDAP
    • LDAP PloneLDAP + plone.app.ldap
    • LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP
    • LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
    • LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
    • Writing PAS Plugins
    • Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
    • Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
    • Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
    • Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
    • Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
    • Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
    • References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
    • WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two