[rsbac] How to limit network access
Thomas Mueller
news-exp-jun04 at tmueller.com
Mon Apr 19 10:41:39 CEST 2004
I tried to follow http://zhware.ath.cx/cgi-bin/oswiki.cgi/ApacheRsbacRc to
restrict the network access of my Apache. Unfortunately Apache can still
bind to any port, not only 80.
I'm sure it's my fault but I don't see what's wrong :-( That's what I did:
net_temp -V 66051 new_template 20000 "httpv4"
net_temp -V 66051 set_address_family 20000 INET
net_temp -V 66051 set_type 20000 STREAM
net_temp -V 66051 set_address 20000 0.0.0.0
net_temp -V 66051 set_valid_len 20000 0
net_temp -V 66051 set_protocol 20000 TCP
net_temp -V 66051 set_netdev 20000 ""
net_temp -V 66051 set_min_port 20000 80
net_temp -V 66051 set_max_port 20000 80
net_temp -V 66051 new_template 20001 "httpv6"
net_temp -V 66051 set_address_family 20001 INET6
net_temp -V 66051 set_type 20001 STREAM
net_temp -V 66051 set_valid_len 20001 0
net_temp -V 66051 set_protocol 20001 TCP
net_temp -V 66051 set_netdev 20001 ""
net_temp -V 66051 set_min_port 20001 80
net_temp -V 66051 set_max_port 20001 80
(required to access a database on localhost, will be restricted further)
net_temp -V 66051 new_template 100101 "localnet"
net_temp -V 66051 set_address_family 100101 INET
net_temp -V 66051 set_type 100101 ANY
net_temp -V 66051 set_address 100101 127.0.0.0
net_temp -V 66051 set_valid_len 100101 8
net_temp -V 66051 set_protocol 100101 ANY
net_temp -V 66051 set_netdev 100101 ""
net_temp -V 66051 set_min_port 100101 0
net_temp -V 66051 set_max_port 100101 65535
attr_set_net -V 66051 NETTEMP rc_type 3 20000
attr_set_net -V 66051 NETTEMP rc_type 3 20001
attr_set_net -V 66051 NETTEMP rc_type 20 100101
rc_set_item -V 66051 TYPE 3 type_netobj_name "http NETOBJ"
rc_set_item -V 66051 TYPE 20 type_netobj_name "localall NETOBJ"
rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 0 00000000001101000000000000000000000000000000100000000
rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 3 00000000011101110000000000000000000000000000100000000
rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 20 00000000001110000000000000000000000000000000100000000
attr_set_file_dir FD /usr/sbin/apache2 rc_force_role 20
The Wiki says it's enough to set Bind+Listen for http NETOBJ, but that
leads to the following when I connect Apache:
Apr 18 18:44:21 geht-schon kernel: rsbac_adf_request(): request
SEND, pid 14758, ppid 14756, prog_name apache2, uid 33, target_type
NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC
Apr 18 18:44:21 geht-schon kernel: rsbac_adf_request(): request
RECEIVE, pid 14758, ppid 14756, prog_name apache2, uid 33, target_type
NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result NOT_GRANTED
by GEN RC
Apr 18 18:44:36 geht-schon kernel: rsbac_adf_request(): request
NET_SHUTDOWN, pid 14758, ppid 14756, prog_name apache2, uid 33,
target_type NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result
NOT_GRANTED by GEN RC
So something seems to work, but Apache can still bind to its https port
(netstat -l):
tcp6 0 0 *:www *:* LISTEN
tcp6 0 0 *:https *:* LISTEN
Whatever tcp6 is. This is a default Debian Sarge installation with kernel
2.6.4 and RSBAC 1.2.3pre4.
Thanks for your help!
Thomas
--
http://www.tmueller.com for pgp key (95702B3B)
More information about the rsbac
mailing list