SlideShare uma empresa Scribd logo

Protecting Plone from the Big, Bad Internet

Erik Rose
Erik Rose

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Tecnologia
1 de 97
Baixar para ler offline
Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
<SteveM>
CVE Vulnerability Records
CVE Vulnerability Records Common Vulnerabilities & Exposures
CVE Vulnerability Records Common Vulnerabilities & Exposures
CVE Vulnerability Records Common Vulnerabilities & Exposures
So, why worry?
<Basics>
Defense in Depth
Defense in Depth
Single Wall Defense
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Failure of single wall defense
Failure of single wall defense
Proposition: Zope is our Maginot Line
CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
Principle of Least Privileges
Principle of Least Privileges
Principle of Least Privileges
</Basics>
Daemon Security
No Rights
Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
<Implementation>
<Implementation> <File & Process>
Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
Why is that so bad?
Why is that so bad? Daemon can write into its own code space.
A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
Making it happen
Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
Windows
</File & Process>
</File & Process> </Implementation>
</File & Process> </Implementation> </SteveM>
<Port Security>
Reverse Proxy Evil, Monstrous Zope Internet
Reverse Proxy Evil, Monstrous Zope Internet
Reverse Proxy Evil, Monstrous Apache Zope Internet
Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
Untrusted Local Users Zope ZEO (81) (8100) Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
Privileged Ports Zope ZEO (8080) (8100) Your Server
Privileged Ports Zope ZEO (8080) (8100) Your Server
Privileged Ports ZEO (8100) Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
</Port Security> <Within Zope>
PluggableAuthService (PAS)
WebServerAuth a PluggableAuthService plugin
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
WebServerAuth a PluggableAuthService plugin
WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
LDAP
LDAP PloneLDAP + plone.app.ldap
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
Writing PAS Plugins
Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two

Recomendados

How to make DSL
How to make DSLHow to make DSL
How to make DSL
Yukio Goto
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filters
Mohamed Gamel
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013
Lukas Smith
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
oscon2007
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
Sam Kim
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
Acácio Oliveira
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
Acácio Oliveira
 
3.2 process text streams using filters
3.2 process text streams using filters3.2 process text streams using filters
3.2 process text streams using filters
Acácio Oliveira
 

Recomendados

How to make DSL
How to make DSLHow to make DSL
How to make DSL
Yukio Goto
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filters
Mohamed Gamel
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013
Lukas Smith
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
oscon2007
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
Sam Kim
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
Acácio Oliveira
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
Acácio Oliveira
 
3.2 process text streams using filters
3.2 process text streams using filters3.2 process text streams using filters
3.2 process text streams using filters
Acácio Oliveira
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
Gateway Business Solutions
 
XMPP 101
XMPP 101XMPP 101
XMPP 101
Remko Tronçon
 
Open Source Debugging v1.3.2
Open Source Debugging v1.3.2Open Source Debugging v1.3.2
Open Source Debugging v1.3.2
Matthew McCullough
 
Tftp errors
Tftp errorsTftp errors
Tftp errors
jivanihiren
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
National Cheng Kung University
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
Thomas Mangin
 
Services
ServicesServices
Services
Terry Hernandez
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
Jesse Vincent
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
Client server
Client serverClient server
Client server
maryam1231
 
Making asterisk feel like home outside north america
Making asterisk feel like home outside north americaMaking asterisk feel like home outside north america
Making asterisk feel like home outside north america
PaloSanto Solutions
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performance
Stephen Hemminger
 
Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008
boorad
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
Sam Kim
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
XMPP Intro - The camp2012
XMPP Intro - The camp2012XMPP Intro - The camp2012
XMPP Intro - The camp2012
Steffen Larsen
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
Sim Janghoon
 
Mpeg For The Media Sonic Players
Mpeg For The Media Sonic PlayersMpeg For The Media Sonic Players
Mpeg For The Media Sonic Players
guest78aa88
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
Naoto MATSUMOTO
 
The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_Italy
OLEtark
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in Europe
OLEtark
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Drop
frozenmermaid
 

Mais conteúdo relacionado

Mais procurados

SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
Jesse Vincent
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
Videoguy
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
Sam Kim
 

Mais procurados (19)

Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
 
XMPP 101
XMPP 101XMPP 101
XMPP 101
 
Open Source Debugging v1.3.2
Open Source Debugging v1.3.2Open Source Debugging v1.3.2
Open Source Debugging v1.3.2
 
Tftp errors
Tftp errorsTftp errors
Tftp errors
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
 
Services
ServicesServices
Services
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
 
Client server
Client serverClient server
Client server
 
Making asterisk feel like home outside north america
Making asterisk feel like home outside north americaMaking asterisk feel like home outside north america
Making asterisk feel like home outside north america
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performance
 
Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
XMPP Intro - The camp2012
XMPP Intro - The camp2012XMPP Intro - The camp2012
XMPP Intro - The camp2012
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
 
Mpeg For The Media Sonic Players
Mpeg For The Media Sonic PlayersMpeg For The Media Sonic Players
Mpeg For The Media Sonic Players
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 

Destaque

The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_Italy
OLEtark
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in Europe
OLEtark
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Drop
frozenmermaid
 
Management in Italy school
Management in Italy schoolManagement in Italy school
Management in Italy school
OLEtark
 

Destaque (8)

The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_Italy
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in Europe
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Drop
 
Robinson 2008
Robinson 2008Robinson 2008
Robinson 2008
 
Bunny story
Bunny storyBunny story
Bunny story
 
Management in Italy school
Management in Italy schoolManagement in Italy school
Management in Italy school
 
Mn Vriendje
Mn VriendjeMn Vriendje
Mn Vriendje
 
WebLion Hosting Lightning Talk
WebLion Hosting Lightning TalkWebLion Hosting Lightning Talk
WebLion Hosting Lightning Talk
 

Semelhante a Protecting Plone from the Big, Bad Internet

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05
Barry Greene
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)
Kensei Demura
 
Building a moat bastion server
Building a moat bastion serverBuilding a moat bastion server
Building a moat bastion server
nseemiller
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hessler
eurobsdcon
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Puppet
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
faker1842002
 

Semelhante a Protecting Plone from the Big, Bad Internet (20)

Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Building a moat bastion server
Building a moat bastion serverBuilding a moat bastion server
Building a moat bastion server
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Ltsp talk
Ltsp talkLtsp talk
Ltsp talk
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
Tech f42
Tech f42Tech f42
Tech f42
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hessler
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
 
SING
SING SING
SING
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 

Mais de Erik Rose

Es part 2 pdf no build
Es part 2 pdf no buildEs part 2 pdf no build
Es part 2 pdf no build
Erik Rose
 
Django’s nasal passage
Django’s nasal passageDjango’s nasal passage
Django’s nasal passage
Erik Rose
 

Mais de Erik Rose (8)

Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018
 
What happens when firefox crashes?
What happens when firefox crashes?What happens when firefox crashes?
What happens when firefox crashes?
 
Poetic APIs
Poetic APIsPoetic APIs
Poetic APIs
 
Es part 2 pdf no build
Es part 2 pdf no buildEs part 2 pdf no build
Es part 2 pdf no build
 
Fluid, Fluent APIs
Fluid, Fluent APIsFluid, Fluent APIs
Fluid, Fluent APIs
 
Django’s nasal passage
Django’s nasal passageDjango’s nasal passage
Django’s nasal passage
 
Stackful
StackfulStackful
Stackful
 
WebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and HubrisWebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and Hubris
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Protecting Plone from the Big, Bad Internet

  • 1. Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
  • 4. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 5. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 6. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 7.
  • 12.
  • 19. Failure of single wall defense
  • 20. Failure of single wall defense
  • 21. Proposition: Zope is our Maginot Line
  • 22. CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
  • 23. Principle of Least Privileges
  • 24. Principle of Least Privileges
  • 25. Principle of Least Privileges
  • 29. Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
  • 30. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  • 31. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  • 33. <Implementation> <File & Process>
  • 34. Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
  • 35. Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
  • 36. Why is that so bad?
  • 37. Why is that so bad? Daemon can write into its own code space.
  • 38. A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
  • 40. Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
  • 41. Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
  • 45. </File & Process> </Implementation> </SteveM>
  • 47. Reverse Proxy Evil, Monstrous Zope Internet
  • 48. Reverse Proxy Evil, Monstrous Zope Internet
  • 49. Reverse Proxy Evil, Monstrous Apache Zope Internet
  • 50. Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
  • 51. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
  • 52. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  • 53. Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  • 54. Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
  • 55. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  • 56. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
  • 57. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  • 58. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  • 59. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  • 60. Untrusted Local Users Zope ZEO (81) (8100) Your Server
  • 61. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 62. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 63. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 64. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
  • 65. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  • 66. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  • 67. Privileged Ports Zope ZEO (8080) (8100) Your Server
  • 68. Privileged Ports Zope ZEO (8080) (8100) Your Server
  • 69. Privileged Ports ZEO (8100) Your Server
  • 70. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  • 71. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  • 72. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
  • 76. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
  • 77. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
  • 78. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
  • 80. WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
  • 81. WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
  • 82. WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
  • 83. LDAP
  • 86. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
  • 87. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
  • 88.
  • 90. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
  • 91. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 92. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 93. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 94. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
  • 95. Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
  • 96. References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
  • 97. WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two