Warning |
---|
This approach is not viable. There is a snag with how ACLs work documented in the issues area. Instead, I am going back to a simplified approach which will then make separation of duty achievable by using container technology. What this article and the sub-version 128 is good for, is exploration of ACLs and it's limitations. |
Table of Contents |
---|
Introduction
As an application, WordPress is easy to use and feature rich. It has an established community, and in my opinion, the best selection of themes and the most usable blogging cms software package available.
...
- Web Server = Apache
- Application Server = PHP
- Database = MySQL
- OS = Ubuntu
Install Packages
Install the packages to run WordPress,
...
Note | |||||
---|---|---|---|---|---|
This article was written and tested against Ubuntu 12.04 which has ACL support built into the kernel. With Ubuntu 12.04, if the ACL packages are not installed the install is straight forward,
Previous versions may be more involved and require modifying the fstab file. |
Setup Directory Structure with ACLs
This security approach works at various levels to contain process and programs to run only within their specified folders and restrict users to their own respective instances of WordPress.
Permission and Group Structure
We want to provide website hosting for two different clients, The Daily Planet and LexCorp. Employees from the respective companies will belong in the system under the following groups, wgdailyplanet and wglexcorp. Here is how the top level structure,
User Name | Assigned User | Group | Web Root Directory | File Access | Directory Access |
---|---|---|---|---|---|
dailyplanet01 | Clark Kent | wgdailyplanet | /opt/web/php/dailyplanet.com/ | Read, Write and Execute | Read, Write and Execute |
lexcorp01 | Lex Luthor | wglexcorp | /opt/web/php/lexcorp.com/ | Read, Write and Execute | Read, Write and Execute |
Apache Server | www-data | /opt/web/php/dailyplanet.com/ /opt/web/php/lexcorp.com/ | Read | Read and Execute (required to transverse directories) |
Other |
No Access | No Access |
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subsequent directories and files under the respective Web Root Directories to inherit the same permissions.
...
As such we will require ACLs. Here is what each directory will look like and how the main user types will interact with directories and files,
Directory | Permissions | ACL | Comment | User from wgailyplanet | User from wglexcorp | User from staff | Normal (other) Users |
---|---|---|---|---|---|---|---|
/opt/web/ | rwXr-X--X | n/a | Don't need ACLs here. Use Unix permissions "drwxr-x--x 3 serveradmin staff". | cd but no ls | cd but no ls. | cd, ls |
/opt/web/php/ | rwXr-X--X | n/a | Don't need ACLs here. Use Unix permissions "drwxr-x--x 3 serveradmin staff". | cd but no ls. | cd but not ls. | cd, ls |
/opt/web/php/tmp/ | rwXr-X--- | www-data:rwX | In a shared environment lock down. Consider ACLs to make it easy for staff to review. | Nothing | Nothing | cd, ls | nothing |
/opt/web/php/logs/ | rwXr-X--- | www-data:rwX | In a shared environment lock down. Consider ACLs to make it easy for staff to review. | Nothing (on the one hand this increases security but how does a php programmer debug?) | Nothing | cd, ls | nothing |
/opt/web/php/dailyplanet.com/ | rwXrwX--- | www-data:rX wgdailyplanet:rwX |
Nothing | cd, ls | nothing | ||
/opt/web/dailyplanet.com/blog/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX |
cd, ls | nothing | |||
/opt/web/dailyplanet.com/blog/wp-content/ | rwXrwX--- | www-data:rwX wgdailyplanet:rwX | In order to install plugins, www-data needs write access. Notice the base Unix permissions have to be more open due to how masking works with ACLs. |
cd, ls | nothing | ||
/opt/web/php/lexcorp.com/ | rwXr-X--- | www-data:rX wglexcorp:rwX |
cd, ls | nothing | |||
/opt/web/lexcorp.com/blog/ | rwXr-X--- | www-data:rX wglexcorp:rwX |
cd, ls | nothing | |||
/opt/web/lexcorp.com/blog/wp-content/ | rwXrwX--- | www-data:rwX wglexcorp:rwX | In order to install plugins, www-data needs write access. Notice the base Unix permissions have to be more open due to how masking works with ACLs. |
cd, ls | nothing |
Further to this, using normal Unix permissions, all directories will be owned by serveradmin:staff.
web Folder
This is where everything starts for web related work,
...
Code Block | ||
---|---|---|
| ||
getfacl --default ./web/ # file: web/ # owner: serveradmin # group: staff user::rwx group::r-x group:www-data:r-x group:staff:r-x mask::r-x other::--- |
php Support Folders
This is where all php code will execute. In php centric applications this will also be considered the web root for static files too and reflected in the virtual host configuration.
Create Folders
PHP requires advanced access to specific folders,
...
The PHP process run under Apache as www-data needs full access to these folder.
Configure PHP to Use Specified Folders
Edit php.ini to make use of the folders.
Code Block | ||
---|---|---|
| ||
sudo vi /etc/php5/apache2/php.ini |
Set Running Directory
Search for the open_basedir line and modify to include the directories setup for WordPress,
...
This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.
Set Temp Directory
Because open_basedir has been set, WordPress no longer has access to the general temporary folder it expects which is required for certain operations (for example to upload plugins through the Administrator web interface).
...
Code Block |
---|
; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ; http://php.net/upload-tmp-dir upload_tmp_dir = /opt/web/php/tmp/ |
Make Changes Take Effect
Restart Apache for the changes to take effect,
...
You will now find that php scripts will only run in the designated directories specified in php.ini.
Setup Website Root
Each website will have it's own root folder under /opt/web/php/. To keep things simple we will keep both static and php content inside of this folder.
...
Repeat as needed for each website.
Symbolic Link for Group Accounts
Due to the tight security, the directory listing for /opt/web/ and /opt/web/php/ is restricted. So users will not know about the web root.
...
Code Block | ||
---|---|---|
| ||
sudo su - web.master # Log in as web.master cd ~ ln -s /opt/web/php/dailyplanet.com dailyplanet.com ln -s /opt/web/php/lexcorp.com lexcorp.com |
Setup WordPress
WordPress is incredibly easy to setup and there are many shorter tutorials than this.
...
Warning |
---|
WordPress out of the box can be very quickly broken into. In fact, I personally go so far as to keep the Ubuntu firewall up with port 80 or 443 closed until WordPress is completely hardened. When the setup steps required using the browser, I use ssh tunnelling to access 80 securely. A writeup of using ssh tunnelling should be added to the Bonsai Framework and linked or included here. |
Apply ACLs to WordPress Folders
Using the serveradmin account, download and decompress WordPress,
...
Code Block | ||
---|---|---|
| ||
file: blog/ # owner: serveradmin # group: staff user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgmainframe:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:group:wgmainframe:rwx default:mask::rwx default:other::--- |
ACLs Do not Work as Thought
Warning | |||||
---|---|---|---|---|---|
March 25, 2013 Ok, how about watching a directory and adjusting permissions whenever a file is changed or updated, http://askubuntu.com/questions/43846/how-to-put-a-trigger-on-a-directory March 22, 2013 This IBM article shows how to change the sftp umask for specific groups using 5.4p1 or higher,
BUT, after testing, realized, I cannot use the umask on sftp to change the permission on a file to be less restrictive than the original file. March 19, 2013 OK more bad news, sftp and scp use root's umask. There's is a way to globally set the umask but that's not what I want and causes security issues. This link which talks about chrooting specific sftp groups for no shell access looks promising possibly in concert with PAM. Otherwise I might look at file watchers. March 18, 2013 Evening Finally found the answer and it's ACLs will not work. Per this post which points out that in the man documentation for ACL(5) in the paragraph OBJECT CREATION AND DEFAULT, the access of ACL of a file ojbect is initialized only when create(), mkdir(), mknod(), mkfifo(), or open() functions are used. In other words default ACLs are only applied when using create. Otherwise it will be a XOR of the existing user mask and default acl mask of the user doing the copy, unzip, untarred ect...) followed by the usual calculation done by subtracting the current umask from 0666 for a file and 0777 for a directory. This is why the #effective permission comment appears. March 18, 2013 Morning Found mask of newly created files in the directory are alright. The problem is copying files from another directory where the mask by default is more restrictive. Maybe I need to set sticky bits. Set sticky bits and it did not make a difference. This article explains how ACL permissions are calculated and how to determine what a command like touch or cp does, http://unix.stackexchange.com/questions/56278/can-not-explain-acl-behavior March 17, 2013 Verified his is due to an incorrect mask.... need to run a test but this should work after. March 14, 2013 According to this article the problem is the mask in the ACL. It says the mask for user, group or default shown shows the maximum permissions allowed. Even when set higher the mask downgrades the permissions to what the mask allows. OK so how to change the mask and if say I set the mask to rwx, does that make it too open or does the ACL kick in and overrides? Doing more testing creating new files under ../blog/ as the mf.webmaster user belonging to wgmaingrame, I notice the permissions are not correct. More of the effective problem. Directories seem to be fine though. March 13, 2013 Notice that the mask also changed from r-x to rwx. This might be the key. Actually more test shows a copy of some default created folders and files still has problem and it points to "cp -R" with the "-R" or "-r" both being problems by not respecting ACLs or bringing in the default unix permissions as the problem. |
Further Refine File Permissions
Here are how the file permissions will look,
Directory | Purpose | user:group:other | ACL Group | Default ACL Group | Tech Notes |
---|---|---|---|---|---|
dailyplanet.com/blog/ |
rwX:r-X:--- | Inherited | Inherited |
dailyplanet.com/blog/wp-content |
Inherited | Inherited. with, default:group:www-data:rwX | Inherited with, default:group:www-data:rwX | www-data needs full access to download and install plugins and themes. |
To setup these permissions with ACLs as a staff user,
...
The ACLs ensures that WordPress can install plugins and themes.
Configure MySQL
Secure MySQL
As a staff user run the Secure Installation script included with MySQL,
...
For now that's it to securing MySQL.
Connect
Connect into MySQL,
Code Block | ||
---|---|---|
| ||
mysql -u root -p |
...
The remainder of this section happens inside of the mysql shell.
Create the WordPress Database and Accounts in MySQL
List the databases to makes sure what you want to create does not already exists,
...
Tip |
---|
Database Admins will not like granting all privileges. After the initial setup is done we will restrict to more minimal privileges. |
Exit MySQL Shell
Exit the MySQL shell,
Code Block | ||
---|---|---|
| ||
EXIT |
Configure WordPress
Create Config File for Database Access
Launch a browser and hit the WordPress setup page for your machine at http://dailyplanet.com/blog/wp-admin/install.php and you will be prompted to create a configuration file.
...
Enter the required information and click "Submit",
Field | Value | Comment |
---|---|---|
Database Name | wpdailyplanetdb | The Bonsai Framewok appraoch is to base the user name on the site's primary domain name. |
User Name | wpdpdbuser |
Password |
This is the application password set during the wpdailyplanetdb database creation step. | ||
Database Host | localhost | Address of the database server. In this example, the database is on the same server so use localhost is used. |
Table Prefix | bf_ | The Bonsai Framework approach generally does not encourage changing an application's table prefix. However, given the architecture of WordPress and popularity it is recommended to change the prefix to something other than wp_ to make the system less susceptible to attacks. |
It is expected that you will receive a message that WordPress can not write the wp-config file and the following prompt will appear on screen,
...
Finally enter the site information,
Field | Value | Comment |
---|---|---|
Site Title | dailyplanet | We like to reference our domain name. |
Username | tempadmin | You probably do not want to use the default admin for username. WordPress (as of Sep 2012) out of the box, has no facilities to stop dictionary attacks against the administration system. Admin will be the first username guessed by automated attacks. Because the username put here will show up in the default site generated, this will be a temporary administrator account. |
Password |
As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet. Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here) | |
Your E-mail |
Whatever email is chosen here, it will not be the final one used by the real administrator account. Keeping in mind that WordPress does not allow duplicate emails, in this example, the administrator will use a personal email and then use a proper email account when the real administrator account is created. | |
Privacy |
This depends on the purpose of your website. Unless this is a private site that should not show up on Google, leave it checked. |
Click, "Install WordPress" which should result in a success screen. At this point you are actually done the setup. Do not click "Log In".
Customize WordPress
At this point WordPress is already working. There are two urls to take note of,
URL | Area | Purpose |
---|---|---|
http://www.dailyplanet.com/blog/ | Public | You can hit this url right now and see a default working site. This url is where your users will enter. |
http://www.dailyplanet.com/blog/wp-admin/ | Administration | This url results from clicking the "Log In" button after the WordPress install is complete. It can also be accessed through the Public homepage by click "Log In" located at the bottom right under "META". The Administration area allows the customization and configuration of WordPress. Also, once logged into the administration, if you browse to the public area, you will see additional buttons and options to create posts and edit the website contents. |
If you have the Install WordPress Success Screen still up, click "Log In" will take you to the Word Press Administration url or use the url in the table above.
Minimal Security - Block Login Attacks
WordPress out of the box can be easily broken into with a brute force dictionary attack for the following combined reasons,
...
Install one of these plugins.
Plugin | Description | Review |
---|---|---|
Google Authenticator | The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account. The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts. If You need to maintain your blog using an Android/iPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin, but please note that enabling the App password feature will make your blog less secure. | Very good plugin. Tricky part is making sure time is synced with same time servers across the phone and server. For example, my iphone was off by 2 minutes because it was set manually to Toronto. Best thing to do is turn on the 4 minute drift allowance. When setting the password make sure there are no spaces otherwise the barcode will not work. |
Duo Two-Factor Authentication | This plugin enables Duo Security's two-factor authentication for WordPress logins. Duo provides simple two-factor authentication as a service via:
This plugins allows a WordPress administrator to quickly add strong two-factor authentication to any WordPress instance without setting up user accounts, directory synchronization, servers, or hardware. | Free signup but it looks like only 1000 transactions for the life of the account. Looks very professional. |
BAW More Secure Login | Grid Cards |
Login Security Solution | Most useful feature I find when used with Google Authenticator is that it blocks user for x number of minutes progressively more as more attempts are tried. Also blocks by cookie and ip. |
Should have link to how to ssh in to disable plugins if they misbehave.
Set Up Users
The default user created is an administrator and has more privileges than necessary. The very first step is to create users with specific roles provided by WordPress. The roles are outlined below in order of most privileges to least.
Keep in mind that when creating accounts, Wordpress requires unique email addresses.
Role | Description | UserName |
---|---|---|
Administrator | Administrators have access to all the administration features. | setupadmin |
Editor | Editors can publish posts, manage posts as well as manage other people’s posts, etc. | perrywhite |
Author | Authors can publish and manage their own posts, and are able to upload files. | clarkkent, loislane |
Contributor | Contributors can write and manage their posts but not publish posts or upload media files. | jimmyolsen |
Subscriber | Subscribers can read comments/comment/receive newsletters, etc. but cannot create regular site content. | lexluthor |
(explain why we do not use the first admin account we created) Creat the real administrator account,
Field | Value | Comment |
---|---|---|
Site Title | dailyplanet | We like to reference our domain name. |
Username | setupadmin | This will be the real administration account. Steps to delete tempadmin will follow shortly. |
Password |
As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet. Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here) | ||
Your E-mail | admin@bonsaiframework.com | If there is more than one administrator, you should have a general support email box that only administrators have access to. This email address will be used for password recovery purposes. |
...
Warning |
---|
Past this point is not yet organized or complete. |
Lock Down WordPress
WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.
...
Warning |
---|
WordPress updates through the built in admin interface will fail unless the restrictions are relaxed. With this security approach, privileges must be temporarily be granted as part of the upgrade process. |
Restrict WordPress Database Account
Now that WordPress is setup we can lock down the application database account. As part of good application security, the WordPress application database account should only be granted minimal privileges. Note that during upgrades you will have to increases privileges again.
...
Warning |
---|
This point onwards still needs to be flushed out. |
File Permissions
From the WordPress article Hardening WordPress we will want to take the approach of creating accounts for select developers or release managers.
...
Note |
---|
Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. The Bonsai Framework does not endorse this approach. Client administering the WordPress requiring this functionality should understand the security implications. |
...
Writing Next Topics
- Repeat for the second instance.
- Upgrades and Updates
FAQ
Why do some of the php5 installations say to use install libapache2-mod-php5?
...
Nothing I can see. It just looks like php5 is an overarching package name.
References
Setup
Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html
Security
Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5
...