Monday, October 31, 2011

Separate your users from each other using FreeBSD MAC (Mandatory Access Control)

Imagine you have thousands of users on your FreeBSD server and for some reason you don’t want them to see each other’s files under any circumstances.
Normally you’d use complicated ACLs and/or nested groups to solve this problem but there’s a much simpler approach to all of this.
Using the MAC security framework you can initialize the BSDEXTENDED module which will give you access to a very handy tool called ugidfw. This software module is basicly a file system firewall, the system interates through the list as a certainsubject is trying to access an object.
Firstly, you have to compile MAC support into the kernel by adding the
option MAC
option to your kernel config file, after recompiling and rebooting you should be able to load the mac_bsdextended module using the
kldload mac_bsdextended
Let’s add ugidfw_enable="YES" to /etc/rc.conf
After that we can load firewall rules by starting up the /etc/rc.d/ugidfw script, which is going to read the default rules set in /etc/rc.bsdextended.
Let’s assume that users which need complete separation from the rest of the bunch are between uid 3000 and 4000 with the sole exception of the www user, which is going to access all the files as their owners define it in the other permission field. To spice it up a little, I wanna handle group permissions as well, 2 different users in the same primary group should be able to practice their group rights on a shared file.
And the winner is:
sysctl -w security.mac.bsdextended.firstmatch_enabled=1
${CMD} set 99 subject uid 3000:4000 object gid_of_subject mode arswx
${CMD} set 100 subject not uid www object uid 3000:4000 mode n
The first rule says everyone with the uid 3000..4000 shall only access group owned files without further restrictions. If you don’t want to allow group access replacegid_of_subject to uid_of_subject
Since we enabled first match, subjects between 3000 and 4000 are not staying for the second rule, which is set for everyone except the www user.
This rule says that they have no access on objects owned by users between 3000 and 4000. Fortunately we set up the firstmatch directive and users between 3000 and 4000 will not be punished with this rule as they exit from the chain at their first match, rule 99


No comments: