15.15 Another Example: Using MAC to Constrain a Web Server

A separate location for the web data which users must be capable of accessing will be appointed. This will permit biba/high processes access rights to the web data.

Begin by creating a directory to store the web data in:

# mkdir /usr/home/cvs

Now initialize it with cvs:

# cvs -d /usr/home/cvs init

The first goal is to enable the biba policy, thus the mac_biba_enable="YES" should be placed in /boot/loader.conf. This assumes that support for MAC has been enabled in the kernel.

From this point on everything in the system should be set at biba/high by default.

The following modification must be made to the login.conf file, under the default user class:

:ignoretime@:\
    :umask=022:\
    :label=biba/high:

Every user should now be placed in the default class; a command such as:

# for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
    /etc/passwd`; do pw usermod $x -L default; done;

will accomplish this task in a few moments.

Now create another class, web, a copy of default, with the label setting of biba/low.

Create a user who will be used to work with the main web data stored in a cvs repository. This user must be placed in our new login class, web.

Since the default is biba/high everywhere, the repository will be the same. The web data must also be the same for users to have read/write access to it; however, since our web server will be serving data that biba/high users must access, we will need to downgrade the data as a whole.

The perfect tools for this are sh(1) and cron(8) and are already provided in FreeBSD. The following script should do everything we want:

PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
CVSROOT=/home/repo; export CVSROOT;
cd /home/web;
cvs -qR checkout -P htdocs;
exit;

Note: In many cases the cvs Id tags must be placed into the web site data files.

This script may now be placed into web's home directory and the following crontab(1) entry added:

# Check out the web data as biba/low every twelve hours:
0       */12       *       *       *       web    /home/web/checkout.sh

This will check out the HTML sources every twelve hours on the machine.

The default startup method for the web server must also be modified to start the process as biba/low. This can be done by making the following modification to the /usr/local/etc/rc.d/apache.sh script:

command="setpmac biba/low /usr/local/sbin/httpd"

The Apache configuration must be altered to work with the biba/low policy. In this case the software must be configured to append to the log files in a directory set at biba/low or else “access denied” errors will be returned.

Note: Following this example requires that the docroot directive be set to /home/web/htdocs; otherwise, Apache will fail when trying to locate the directory to serve documents from.

Other configuration variables must be altered as well, including the PID file, Scoreboardfile, DocumentRoot, log file locations, or any other variable which requires write access. When using biba, all write access will be denied to the server in areas not set at biba/low.

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.