OpenBSD in an ISP environment?

Contributed by jose on 2003-05-05 from the httpland-security dept.

Wouter asks: "Hello Deadly.org,
I hope it's right I can ask through this way to the visitors of deadly.org a question: can OpenBSD be used for an ISP environment? For example, is it possible to fully use CGI in the chrooted apache, and just all the other things you need as an ISP? It is off course also very important users can't read each others files with php/cgi.
I think one of the biggest questions is: should I run apache chrooted or not?

If it is possible to use it in an ISP environment, does somebody maybe have a nice collection of documents which is completely dedicated to this topic?" As suggested in the http chroot FAQ , some users will probably want to disable the chroot functionality of httpd to enable their cgi-bin programs to work. However, this defeats a significant portion of the security for this kind of setup. Anyone care to share their recipes for setups like PHP, Perl, and other cgi-bin content keeping httpd chroot enabled?

(Comments are closed)

Comments

By henkjan () avatar@tweakers.net on 2003-05-05 11:09 mailto:avatar@tweakers.net

OpenBSD can be used for an ISP environment
check:
http://www.openbsd.org/users.html#isp
By kp () on 2003-05-06 01:11

more recipies for webservers would most help me. we've been converting from M$ servers for a few years now, after our hosting company opened in 1996 with all windows machines. i love the blowfish on DNS, email, and ftp servers. it's also the best firewall around IMHO, and looks great for simple webservers. when it comes to complex content on a webserver, it dowright hurts. oh, and don't even ask about frontpage extensions. in short, so far we haven't been able to make openBSD boxen dance like our microsoft webservers. everywhere we can use it, however, cuts costs and lowers the staff's blood pressure. we'll always be on the lookout for more how-to's on "fancy" openbsd webservers
By Aasmund () on 2003-05-05 14:19

What you are asking for is probably not possible. Because if you want people not to be able to look at each others files, the processes will need to run as the users themselves, which again would mean the webserver would need su priveleges which makes the chroot not very usefull.

Regards.
By no_more_stability () on 2003-05-05 14:33

Hello,

I run small ISP on OpenBSD from version 2.5. There were no problems at all. But when we switched to OpenBSD 3.3 big problems arrived :(

Everything was installed from scratch, but DB servers are crashing, mod_perl is segfaulting all the time...

I suppose it is somehow related to ProPolice.

We are currently preparing to move to FreeBSD 4.8, because of that annoying stability problems on OpenBSD 3.3 - hard to say, but we can't provide service which is now crappy.
Comments
1. By A non e-mouse cow herd. () on 2003-05-05 15:19
  
  Almost misread that as "Migrated from 2.5->3.3" that's sad to hear. I would recommend not moving to FreeBSD, but if you can't get things working, I understand business needs.
  
  I would also recommend reading & using:
  http://www.openbsd.org/report.html
  
  It could help quite a bit.
2. By Anonymous Coward () on 2003-05-05 15:27
  
  2.5 was nice. my 2.6 system is still churning great. just on the lan now ... but is still the most stable i've run.
  machine was built nov-1999
3. By Anonymous Coward () on 2003-05-05 16:27
  
  Maybe someone will consider me a troll for asking this....
  
  ...but isn't it normally prudent to test a migration before deployment? I understand an upgrade is difficult, but usually, that's a probable, known norm with any computer system you run. No matter how small you are, if you are running services, I would pound some test servers of such an upgrade to see what happens before making switch, get used to the system, and see what problems arise. I wouldn't just go and blame the OS.
  
  Maybe I'm just an ass, but it seems then you are going to "solve" the problem by going to FreeBSD 4.8. I would think that would thereby introduce another stage of problems, not to mention possible security concerns (FreeBSD varies between fair security to security advisory whore, e.g. in 2002). I like FreeBSD, but given the recent migration, are you sure this will solve the issues you are seeing?
4. By henning () henning@openbsd.org on 2003-05-05 18:44 mailto:henning@openbsd.org
  
  i'm running basically all our servers on OpenBSD and quite a few are 3.3 yet. so it is definately possible and feasable to use OpenBSD for ISP needs.
  even the fucken frontpage disaster^H^H^H^H^Hextensions work, tho I don't use the official ones, and I plan to drop them completely as customers don't really use 'em any more.
  whatever is your problem, it is not OpenBSD - looks like you fucked up something while pgrading.
  mod_perl is a bug collection anyway, and whoever uses it at shared webhosting servers deserves pain.
  Comments
  1. By Mark Beihoffer () mark aught dragonfly dash numeral seven daught com on 2003-05-06 22:31 http://www.dragonfly-7.com
    
    First off, I have to say that I'd like to use mod_perl on OpenBSD - there are some incentives to it's deployment that make it very attractive, and certain packages such as Scoop require it.
    What makes you think it's a "bug collection"? Just curious - I'm not considering it in a shared environment but maybe you have insight into why it's not appropriate for web serving otherwise.
    Secondly, what extensions are you using for FrontPage? I have a customer that is currently locked into a FP installation, and he'd love to host it on OpenBSD... thanks for any input you can give me.
5. By Dom De Vitto. () on 2003-05-06 08:14
  
  Geee, I guess if you upgraded from Windows 3.1 to Windows XP in one day your customers would have had no problems.....
  
  WHO THE HELL DOES A UPGRADE FROM AN OS RELEASED "May 19, 1999" TO ONE RELEASED 1 May 2003 AND EXPECTS NO PROBLEMS????????
  
  WHY THE HELL WERE YOU RUNNING 2.5 LAST MONTH ANYWAY???? IT WAS OUT OF SUPPORT BY TWO YEARS!
  
  What an idiot.
6. By Nate () nate@my-balls.com on 2003-05-06 09:23 mailto:nate@my-balls.com
  
  Try using 3.1 or 3.2, both of which bend FreeBSD over rather nicely for anything in the security department.
  
  I have had issues with some hardware and 3.3 over ftp, so I am still using 3.2 on some of my more recent installs.
7. By Anonymous Coward () on 2003-05-06 17:07
  
  Have you tested your hardware? Try running memtest86 for 24hours.
  
  I'll bet you $100 that your hardware is f*cking up. Build a new box, $500USD max even with scsi raid 5.
  Comments
  1. By Anonymous Coward () on 2003-05-07 15:33
    
    $500 including scsi raid 5? WTF planet do you live on? You're looking at $500 just for a raid controller that's worth using.
8. By Anonymous Coward () on 2003-05-14 10:02
  
  I wonder if your "small ISP" is Eclipse in the UK?
By Anonymous Coward () on 2003-05-05 15:50

The OpenBSD implementation of chroot does not provide additional security, nor was it meant to, so please stop saying it provides additional security.

Thanks
Comments
1. By krh () on 2003-05-05 16:18
  
  We have already had this discussion. It was a long and useless flamewar which solved nothing and changed no one's opinion. I think it is very nasty of you to try to start it again.
  
  Please be more considerate next time.
  Comments
  1. By Anonymous Coward () on 2003-05-06 02:33
    
    i did not feel i was being inconsiderate...that flamware was in two camps, those admitting that chroot was insecure and that it was not meant to provid esecurity(my stance), and those refusing to admit existance of security flaws in chroot.
    
    Comments
    
    By Dom De Vitto () on 2003-05-06 08:17
    
    Chroot is better than non-chroot. End of discussion.
    
    Please read a good security book, e.g. a CISSP exam prep guide, if you do not understand why.
    
    Comments
    
    By Anonymous Coward () on 2003-05-07 00:03
    
    But when it is so trivial to escape, there is little point implementing it as a security feature.
    
    Comments
    
    By Anonymous Coward () on 2003-05-07 08:15
    
    err wrong. it is possibly trivial to escape if you have a local shell is what you meant to say
    
    Comments
    
    By Anonymous Coward () on 2003-05-07 09:41
    
    yes, my mistake.
By Wouter () openbsd@gamezworld.com on 2003-05-05 18:46 mailto:openbsd@gamezworld.com

Thanks for your replies so far. At the moment I am most worried about CGI. PHP safety problems can just be solved by butting on safe_mode.

For CGI, I could of course copy the perl binary and all the libs.. but I am not sure if it's right to do this, and does it work that way (is mod_perl an option?)?

Another thing is, how do I make sure CGI is safe? With PHP I know now I am safe, because of the safe_mode option, but is there a way to make CGI secure as well?

Probably these questions has been asked many times, but I think it is good the answers will be listed at such a good site as this one.
Comments
1. By Anonymous Coward () on 2003-05-05 20:09
  
  You need to decide just how far you trust your customers. For them to use fully working cgi that they wrote themselves, you cannot use chroot reliably without having to constantly dump this or that program or library into the jail, or have so much of your filesystem duplicated into the jail that it almost nullifies the point of even having it.
  
  This might sound strange from a sysadmin, but at some level you just have to stop being paranoid and trust someone or else you will do nothing but create more work for yourself and anger your customers.
  
  Sidenote... PHP safe_mode isn't exactly the paragon of security you make it out to be, but it does help.
2. By schwack () on 2003-05-06 13:54
  
  safe_mode is a good start, but setting a base dir per vhost is also a good idea.
  
  php_admin_value open_basedir "/home/username/"
  
  There are many other things to check out. read http://www.php.net/manual/en/security.php
3. By Aasmund () on 2003-05-06 08:19
  
  There is a safe mode for perl also. And remember that you always have to trust your customers, safe mode is not truly safe.
4. By Anonymous Coward () on 2003-05-07 11:13
  
  Don't forget about CGIWrap.
By Iota () on 2003-05-05 19:05

Somewhat on topic, somewhat off. I've been attempting to set up DNS and a web server on an OBSD box to host my recently purchased domain. Unfortunately, I feel very inept at setting BIND up properly. I've read through quite a few tutorials, none with much success(named starts with no errors.. but.. the DNS doesn't upgrade even a few days later). Is there anything out yet on BIND 9 and configuring it in OpenBSD? Or perhaps something that could hand-hold my newb self through configuring this? (even if it's not directly intended for OpenBSD?)
Comments
1. By Wouter () openbsd@gamezworld.com on 2003-05-05 19:15 mailto:openbsd@gamezworld.com
  
  The "Bind 9 Administrator's Guide" gives many info (http://ou800doc.caldera.com/NET_bind/Bv9ARM.html).
  
  However, I would like to suggest PowerDNS (www.powerdns.com), you've to compile it with GCC/G++ 3.2.2 .. it has a MySQL backend which is really great.
2. By michaelc () gigalo@canada.com on 2003-05-05 19:55 mailto:gigalo@canada.com
  
  On a bit of a stretch, are you allowing BIND traffic through the firewall that I am assuming that you are running??
  Comments
  1. By Iota () on 2003-05-05 21:55
    
    Yes, made sure to allow traffic on port 53. My issue I think is setting it up. Which, if I'm lucky the other post, "Bind 9 Administrators guide" will help me get through. Maybe I'll wind up with PowerDNS. Either way, time to get reading. Thanks.
    
    Comments
    
    By AAsmund () on 2003-05-08 01:31
    
    53 udp? not just tcp? also are you using a nat (e.g. adsl or cable modem set up as router) in front (if you do, it will probably not work)
3. By marcin () ms@kajtek.org on 2003-05-06 05:19 mailto:ms@kajtek.org
  
  *azbesto shield on*
  
  I do not mean to start djbdns - BIND war,
  BIND works, it might not be practical,
  worthwhile, etc to switch, blah blah.
  _I_ like it a lot.
  
  *azbesto shield off*
  
  Just wondering if you had a chance to look at
  djbdns (http://cr.yp.to/djbdns.html). I started to use it after prolonged exposure to BIND config
  files, and never looked back.
  
  1) Its license does not allow it to be included
  in the ports. It is free, but does not suit OBSD's, Debian's (and others') definition of free.
  
  2) _I_ find djbdns setup to be much easier and
  "cleaner" than that of bind.
  
  3) It is easy to get good and secure config
  
  4) It is of ISP quality
  
  5) djbdns follows its own way to do zone-tansfers. It is better than that of BINDm but
  requires some glue (some perl glue is provided).
  
  6) you will want to load ucspi-tcp and daemontools as well. Plus to me, might be more of new/weird software to you.
  
  More setup instructions:
  http://www.lifewithdjbdns.com/
  Comments
  1. By Anonymous Coward () on 2003-05-14 10:03
    
    I would second this recommendation. It works well for me.
4. By Anonymous Coward () on 2003-05-14 09:59
  
  Its worth looking at djbdns as an alternative to BIND.
5. By Blake () funkboy at two one one two dot net on 2003-05-15 06:25 mailto:funkboy at two one one two dot net
  
  Try /usr/ports/net/nsd. It's an authoritative-only nameserver daemon. RIPE just switched their root server over to using this. If you need a resolver, try /usr/ports/net/pdnsd.
By Matt () on 2003-05-05 21:59

Some of the recent posts reminded me of some problems I had running php within the chroot environment in 3.2. I readily admit that I don't know everything that I should, but that gives me an idea.

Could we make another flavor within ports to install a port with the intention of making it available in the chroot structure? or even just switching certain ports over to be installed to the /var/www dir by default. call me crazy, but who runs php outside of a webserver? why wouldn't we put webserver components in a path where our default configuration can't reach them?

And before i'm flamed, yes I realize I could probably edit the makefiles by hand, but why do we intentionally make it hard on ourselves?
By marcbey () marc@marcbey.de on 2003-05-06 05:29 mailto:marc@marcbey.de

one interesting feature for an isp couldnt offer openbsd: jails
By Anonymous Coward () on 2003-05-06 08:43

How about apache's suexec feature? Wouldn't that be useful to keep users from reading eachothers files with perl scripts?
Will that work with the default chrooted install of apache (provided that perl is inside the chroot of course).
Or does suexec create more security issues than it solves?
By doggo () w-berry@north!NS!western.edu on 2003-05-06 17:13 mailto:w-berry@north!NS!western.edu

Look at this article:

http://www.etc.msys.ch/docs/

And/or do a google search for "marc balmer chroot" and you'll find some threads.

Hope this is helpful.
By Jimmy Mitchener () on 2003-05-06 22:10

I hate to say it, but the debian folks have a WONDERFUL tutorial on setting up apache with a fully functional enviornment in their "e; securing debian "e; manual. It is debian based but most of it is general and applies to all "unix-like" environments. The one thing you have to remember though is that when you are chrooting, you simply have to include all necessary applications within that chroot. So if you would like your http server to have the ability to send mail, you are going to have to setup a mail server within that chroot.
Comments
1. By janus () janus -at- errornet -dot- de on 2003-05-07 03:12 http://janus.errornet.de
  
  You don't need to setup a mailserver... use ssmtp (or a wrapper for it) and it will work with the host mailserver.

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]