group - Progress Community

Download Report

Transcript group - Progress Community

OPS-22: OpenEdge® and the OS
Security System
Gus Björklund
V.P. Technology
[email protected]
Topics






2
Background
Starting a Database Server
Connecting To a Database
Stopping a Database
Database Utilities
Advice
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Please interrupt if you have a question.
3
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Background
4
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
OpenEdge and OS Security
OpenEdge RDBMS is architected, designed,
and implemented to be installed, started, run,
and stopped under the system administrator’s
account
Security best practices recommend NOT
running an application under the system
administrator’s account
5
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Why Run As The System Administrator
The administrator is the 800 lb gorilla in the forest
 Can control any process (stop, owner, … )
 Authenticate to user accounts
 Ignore resource access controls
 Ignore process limits
 Ignore system limits
800 lb gorilla
6
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Why Not to Run As the System Administrator
Some times the forest cannot support a 800 lb gorilla
 IT denies access to administrator account
 Prohibited by company policies or standards
 A non-auditable group account
 It is dangerous …
• Bypass system protections
• Provides limitless hacking opportunities
7
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Comparing UNIX & Windows Administrators
You are:
UNIX
The administrator
when:
uid = 0
(superuser2)
SID =S-1-5-domain-500
(Administrator)
The built-in1 system
account when
N/A
SID = S-1-5-18
(LOCAL_SYSTEM)
A member of the
administrator’s group
system-dependent
S-1-5-32-544
(Administrators)
An administrator when
user-id = 0
member of group
S-1-5-32-544
1.
2.
8
Windows
Cannot log into built-in Windows accounts
superuser is the “root” account on Mac OS X, Linux,
and UNIX
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
UNIX, Linux authorisation and access control
 root (superuser), users, groups
 no-login accounts for daemons, etc.
 file and directory
• protection masks (owner, group, world)
• access control lists
 Login authentication (PAM)
• user name, password or others
• NIS, LDAP, SecurId, Kerberos, others (custom too)
 Limits on
• processes, subprocesses
• memory (address space, paging space, shared mem)
• file handles, sockets, etc.
9
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Windows authorisation and access control
 Same as UNIX, plus
• Login authentication
– User-name, Windows domain, password
– Active Directory, SAM, others
• Registry Access Control Lists (ACL)
• Windows Services privileges
• Windows Services – desktop restrictions
Also, like UNIX, limits on file handles, memory,
processes, etc.
10
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Comparing Access Control Systems
UNIX
Windows
Windows service
-----
Service ACLs
File system
owner, group, world
permissions, and
ACLs
File system ACLs
Windows registry
-----
Registry ACLs
Shared memory
owner, group, world
read/write
Object ACLs
UNIX daemons and Windows services
are essentially the same thing
11
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
UNIX File & Directory access
File
12
Directory
Set user ID
Set group ID
Set effective user ID
No effect
Set effective group ID set new file group ID
User read
User write
User Execute
User read
User write
User execute
User read directory
User remove/create files
User search in PATH
Group read
Group write
Group Execute
Group read
Group write
Group execute
Group read directory
Group remove/create files
Group search in PATH
Other read
Other write
Other Execute
Others read
Others write
Others execute
Others read
Others write
Others execute
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Comparing UNIX & Windows File Access
User read
User write
User execute
Group read
Group write
Group execute
UNIX
Windows
process effective-uid
“”
“”
owner file permissions
Process effective-gids
“”
“”
merged user & group
file permissions
Others read
Others write
Others execute
13
OPS-22: OpenEdge versus the OS Security System
N/A
N/A
N/A
© 2008 Progress Software Corporation
UNIX/Linux Interactive User Login Example
/bin/login
PAM Library
/etc/pam.conf
Local OS
LDAP
RSA
System Library
/etc/nsswitch.conf
NIS
databases
14
OPS-22: OpenEdge versus the OS Security System
passwd/
<shadow>
© 2008 Progress Software Corporation
Windoze Interactive User Login Example
Winlogin
GINA
Local OS
LDAP
RSA
System Library
Registry
Active
Directory
15
OPS-22: OpenEdge versus the OS Security System
SAM
© 2008 Progress Software Corporation
Starting a Database Server
(running _mprosrv)
16
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Where OpenEdge Uses OS Authentication
(user connection) AdminServer
creates
_mprosrv
jvmStart
creates
ubroker
(java™)
creates
nsswitch
configuration
System Library
_proapsv/
_progress
[Registry]
17
NIS
databases
passwd/
<shadow>
[Active Directory]
[SAM]
OPS-22: OpenEdge versus the OS Security System
(AppServer™)
(WebSpeed®)
© 2008 Progress Software Corporation
OpenEdge AdminServer Single Sign-on
Progress Explorer
(xxxman)
Security
Token
AdminServer
date-time
host-name
random #
Token Compare
Used when:
 Admin-Serve on the
system you are logged into
 Using your login user-id
19
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Database Server Has To Be Able To









20
Load shared libraries
Open database files (ai, bi, and data extents)
Create or open database .lg file
Create shared memory and semaphores
Raise its ulimit, ignore process size limit
Read, write, expand the files
Create and use sockets
Spawn subprocesses (servers)
Send signals to all connected processes
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Starting the Database Server:
Set User-id File Permission
COPY
_mprosrv
123
123
678
678
777
_mprosrv
OS System Library
pscadmin1
real uid:
effective uid:
real gid:
effective gid:
secondary:
EXECUTE
real uid:
effective uid:
real gid:
effective gid:
secondary:
123
233
678
543
777
set user-id: 233
set group-id: 543
21
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Starting the Database Server:
Database File Access Controls
_mprosrv
effective uid:
123
effective gid:
576
secondary: 555
OS Security System
Windows
UNIX
user read
user write
user execute
group read
group write
group execute
other read
other write
other execute
22
Database Files
user-access
(123)
group-access
(555)
others-access
OPS-22: OpenEdge versus the OS Security System
ACL: allow
o:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
© 2008 Progress Software Corporation
Starting the Database Server:
Buffer-pool Access Controls
_mprosrv
real uid:
.db
real gid: 555
123
OS Security System
Windows
UNIX
user read
user write
group read
group write
23
Shared-memory
user-access
(123)
group-access
(555)
OPS-22: OpenEdge versus the OS Security System
ACL: allow
o:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
© 2008 Progress Software Corporation
Starting the Database Server:
Changing System File Limits
_mprosrv
hard file-size
x 2GB
hard number-files y
…
system ulimits
hard file-size
hard number-files
…
OS System Library
.db
file-size
.db
.db
number-files
24
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Connecting To a Database
(running _progres
self-serving on local system)
25
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
User has to be able to




Execute _progres (or _prowin)
Run OpenEdge 4GL programs
Interact with 4GL programs
Update data in the database
• via 4GL programs only
 print, email, etc. depending on application
26
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Users should NOT be able to







Modify any executables or shared libraries
Read, copy, or modify any production database files
Run any database utilities
Start or stop database servers
Read or modify other users files
Change configuration files
Sometimes we want:
• no access to shell or other programs,
• _progres started automatically when user logs in to
system
 Touch database server machines !
27
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Disaster
28
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Self-serving client Has To Be Able To









29
Load shared libraries
Open database files
Connect to shared memory and semaphores
Read and write database files
Read .p, .r, and other files
Create new .r files
Create temporary files
Map shared procedure library files
etc.
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Starting Self-service ABL Clients:
Connecting to the Buffer-pool
_progres
effective uid:
effective gid:
123
555
OS Security System
Shared-memory
user-access
(123)
group-access
(555)
30
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Starting the ABL Clients:
Removing Privileges
OpenEdge:
 Lowers uid after startup
parameters executed
_progres
real uid:
effective uid:
real gid:
effective gid:
secondary:
245
0 245
597
0
777
 Cannot re-set to a more
privileged state
 Does not lower group-id
 [Does not remove
privileges or ACEs]
31
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Connecting To a Database
(running _progres
with network connection)
32
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
User has to be able to





33
Execute _progres
Run OpenEdge 4GL programs
Interact with 4GL programs
Communicate with server over network
print, email, etc. depending on application
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Network Client Has To Be Able To







Load shared libraries
Read and write database files
Read .p, .r, and other files
Create new .r files
Create temporary files
Map shared procedure library files
etc.
NO special privileges required
34
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
What about AppServer
and WebSpeed?
35
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Shutting Down A Database
(running _mprshut)
36
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Stopping The Database
_mprshut
123
123
678
678
777
IPC
37
OPS-22: OpenEdge versus the OS Security System
OS System Library
Signal
eq
OpenEdge
real uid:
effective uid:
real gid:
effective gid:
secondary:
_mprosrv
real uid:
effective uid:
real gid:
effective gid:
secondary:
123
123
678
678
777
Signal
IPC
© 2008 Progress Software Corporation
About Database Utilities
38
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Database utilities need to be able to






39
Load shared libraries
Open database files
Connect to shared memory and semaphores
Read and write database files
Create and delete database files
Create temporary files
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Offline Database Utilities
 Many utilities can run in single-user mode
(and some have to)
 (e.g. database is offline)
•
•
•
•
Index rebuild
Offline backup
procopy
etc.
 Connect same as single-user _progres
40
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Online Database Utilities
 Many utilities can be run online
 (e.g. database is in multi-user mode)
•
•
•
•
•
dbanalysis
prostrct add
dbtool
online backup
etc.
 Connect same as self-serving _progress
41
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Advice
42
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Advice
 Keep things simple
 Don’t mix AdminServer & command-line
database utilities
 Do administration locally to avoid user
authentication issues
• OR: Use ssh for remote access
(putty on Windows)
 Start with nothing is allowed
43
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Advice: Break the Administrator Habit
 Develop access control plan
 Know requirement for bypassing system limits
 Use your own user accounts and groups
 Make maximum use of group level access
 Reserve root access to install, updates &
emergencies
 Use the “sudo” utility
44
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Advice: Learn sudo
 sudo can be used to
• allow limited root access
• allow limited access to other accounts
• limit access to specific commands
 sudo can
• log usage
• log attempted usage
• email when unauthorised attempts are made
 config file: /etc/sudoers
 Read the man page
 Example:
sudo more /etc/sudoers
45
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Best Practices
 Start with changing file & group ownership
• Take away group and world access from
– database files
– database directories
– backup files and directories
– archived ai files and directories
 Take away world xrw from database utilities
 Create a database admin group
• Add set-group-id to $DLC/bin as appropriate
46
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
In Summary
 Server security requirements
escalating
 OpenEdge security depends on
the OS security system
 Administrator requirements are
few and there are alternative
methods
47
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation
Avez Vous
des Questions
References:
NSA Guide To Securing Linux
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf
48
OPS-22: OpenEdge versus the OS Security System
© 2008 Progress Software Corporation