Presentation is loading. Please wait.

Presentation is loading. Please wait.

OPS-11: OpenEdge® and OS Security

Published byOswin Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "OPS-11: OpenEdge® and OS Security"— Presentation transcript:

1 OPS-11: OpenEdge® and OS Security
Gus Björklund Wizard

2 Please interrupt if you have a question.

3 “Be brief, for no discourse can please when too long.”
Miguel de Cervantes

4 “When I try to be brief, I become obscure.”
Quintus Horatius Flaccus

5 Topics Background Starting a Database Server Connecting To a Database
Stopping a Database Database Utilities Advice

6 Background

7 Basic Database Environment
server machine 4gl client 4GL code db files TCP/IP db server(s) remote 4GL apps shared memory space 4gl client 4GL code server client 4GL code other files jvm java code jdbc driver remote Java apps self-serving 4GL apps

8 OpenEdge and OS Security
The OpenEdge RDBMS is architected, designed, and implemented to be installed, started, run, and stopped under the system administrator’s account Security best practices recommend NOT running an application under the system administrator’s account. OpenEdge 4GL applications can and should be run under normal user accounts.

9 Why Run As The System Administrator
The administrator is the 800 lb gorilla in the forest Can control any process (stop, owner, … ) Authenticate to user accounts Ignore resource access controls Ignore process limits Ignore system limits It used to be common to simply run software under the system administrator’s account Access to the system administrator account was given, if not freely, it was given frequently The reason was that no software package required attention to security or system limits Takeaway: Running as the administrator made it “simple” because you didn’t have to know anything, configure anything, or make your application flexible to different configurations 800 lb gorilla

10 Why Not to Run As the System Administrator
Sometimes the forest cannot support an 800 lb gorilla IT denies access to administrator account Prohibited by company policies or standards A non-auditable group account It is dangerous … Bypass system protections Provides limitless hacking opportunities Running as the system administrator has come under increasing scrutiny lately It has always been somewhat dangerous to run as administrator because of bypassing system limit protections More often I hear of problems because people are not given access to the administrator account, but more often because the administrator will no “delegate” their permissions to any application Takeaway: If you can run as the administrator, your life will remain simple; if not then you will need more of the information in this session

11 Comparing UNIX & Windows Administrators
You are: S (Administrators)‏ system-dependent A member of the administrator’s group member of group S user-id = 0 An administrator when SID = S (LOCAL_SYSTEM)‏ N/A The built-in1 system account when SID =S-1-5-domain-500 (Administrator)‏ uid = 0 (superuser2)‏ The administrator when: Windows UNIX Cannot log into built-in Windows accounts superuser is the “root” account on Mac OS X, Linux, and UNIX

12 UNIX and Linux user ID’s
Each process has 6 id’s real user id real group id effective user id effective group id saved user id saved group id Child (fork’ed) processes inherit these

13 UNIX/Linux exec() exec() of a program uses process’ 6 id’s UNLESS
setuid bit of program file is on effective and saved uid set to that of file owner setgid bit of program file is on effective and saved gid set to that of file group Program executes with different privileges than the invoking user NOT the user’s real or effective uid/gid could be higher or lower !

14 UNIX, Linux authorisation and access control
root (superuser), users, groups no-login accounts for daemons, etc. file and directory protection masks (rwx for owner, group, other) access control lists Login authentication (PAM) user name, password or others NIS, LDAP, SecurId, Kerberos, others (custom too) Limits on processes, subprocesses memory (address space, paging space, shared mem) file handles, sockets, etc.

15 Windows authorisation and access control
Same as UNIX, plus Login authentication User-name, Windows domain, password Active Directory, SAM, others Registry Access Control Lists (ACL)‏ Windows Services privileges Windows Services – desktop restrictions Also, like UNIX, limits on file handles, memory, processes, etc.

16 Comparing Access Control Systems
Registry ACLs ----- Windows registry Object ACLs owner, group, other read/write Shared memory File system ACLs owner, group, other rwx permissions, and ACLs File system Service ACLs daemon Windows service Windows UNIX UNIX daemons and Windows services are essentially the same thing

17 UNIX File & Directory access
Set user ID Set group ID Set effective user ID Set effective group ID No effect set new file group ID User read User write User Execute User read User write User execute User read directory User remove/create files User search in PATH Group read Group write Group Execute Group read Group write Group execute Group read directory Group remove/create files Group search in PATH Other read Other write Other Execute Others read Others write Others execute

18 Comparing UNIX & Windows File Access
merged user & group file permissions process effective group id Group read Group write Group execute owner file permissions user id User read User write User execute N/A N/A N/A Others read Others write Others execute Windows UNIX

19 UNIX/Linux Interactive User Login Example
/bin/login PAM Library /etc/pam.conf Local OS LDAP RSA /etc/nsswitch.conf System Library Logging into the OS is one of the most basic things you do Example: bin/login in UNIX Bin/login is a privileged utility that resides in a protected directory space Takeaway: All programs that perform local user authentication have to work within the OS security system, when they use another type they do not NIS databases passwd/ <shadow>

20 Windows Login

21 Windoze Interactive User Login Example
Winlogin GINA .dll Local OS LDAP RSA Registry System Library Logging into the OS is one of the most basic things you do Example: bin/login in UNIX Bin/login is a privileged utility that resides in a protected directory space Takeaway: All programs that perform local user authentication have to work within the OS security system, when they use another type they do not Active Directory SAM

22 Starting a Database Server
(running _mprosrv)

23 OpenEdge Admin Server _mprosrv ubroker (java) _proapsv/ _progress
creates (user connection)‏ AdminServer ubroker (java) creates jvmStart creates nsswitch configuration System Library _proapsv/ _progress OpenEdge does not do user login (as in create an interactive process)‏ OpenEdge does not support all of the native OS’s user authentication facilities OpenEdge does use the Local OS user authentication facilities for: AdminServer user connections Starting application servers (optionally)‏ Takeaway: Because OpenEdge uses only the OS’s built-in user accounts, it must adhere to the restrictions placed on it by the operating system security [Registry] (AppServer)‏ NIS databases passwd/ <shadow> (WebSpeed)‏ [Active Directory] [SAM]

24 Where OpenEdge Uses OS Authentication
Starting the database via the AdminServer Stopping the database via proshut Running audit-enabled database utilities

25 Database Server Has To Be Able To
Load shared libraries Open database files (ai, bi, and data extents) Create or open database .lg file Create shared memory and semaphores Raise its ulimit, ignore process size limit Read, write, expand the files Create and use sockets Spawn subprocesses (servers) Send signals to all connected processes

26 Installed OpenEdge programs
OpenEdge installer is run as root executable files are owned by root Installer turns setuid bit ON for many programs Few actually require it !!! executing a setuid root program such as _mprosrv or _progres causes it to start executing with root’s privileges (uid 0, group 0)

27 Starting the Database Server:
user shell real uid: effective uid: 123 real gid: effective gid: 678 _mprosrv real uid: effective uid: 0 real gid: effective gid: 0 OS System Library _mprosrv set user id: 0 set group id: 0

28 But: IF _mprosrv has Instead of default setuid root:
change to setuid progress (user 233) change to setgid dbadmin (group 543)

29 Starting the Database Server:
when NOT setuid root user shell real uid: effective uid: 123 real gid: effective gid: 678 _mprosrv real uid: effective uid: 233 real gid: effective gid: 543 OS System Library Unix has a unique feature that allows a program to impersonate a user/group and run with that identity’s privileges OpenEdge does not use the set-group-id feature, but I’m including it here for later use The standard OpenEdge install uses this facility on UNIX so that it can run as the system administrator and allow the database to bypass system resource limitations and access When this OS feature is used, it only sets the process’s “effective” user-id and group-ids; the original process user-id remains Basically, anything that can connect to an OpenEdge RDBMS database has the set-user- id feature set When you leave the default installation, these OpenEdge utilities fall into a category of “set-uid-root”. That is, executing the file causes the new process to have the root access. In more and more of today’s world a “set-uid-root” program is not acceptable. Remember that the system administrator owns the system and may not allow your OpenEdge installation to run as root Takeaway: OpenEdge does not certify its programs to hacker-proof, and because OE is not installed into protected system directories, allowing the “set-uid-root” programs to exist constitutes a large risk _mprosrv set user-id: set group-id: 543

30 Starting the Database Server: Database File Access Controls
_mprosrv effective uid: 123 effective gid: 543 OS Security System UNIX Windows ACL: allow user read user write user execute Database Files user-access (123) group-access (555) others-access o:<sid>:<perm…> The first part of security was establishing and controlling the user (process) identity; the second and bigger part is controlling what those process identities can do OS security systems attach access-controls (aka permissions, aka ACLs) to all user accessible objects files shared memory Windows registry Windows services etc 3) Every object has a list of what the owner (account) can do, what the owner’s group can do, and what the user’s secondary groups can do Takeaway: The key to the bulk of security issues is setting the right access controls group read group write group execute g:<sid>:<perm…> g:<sid>:<perm…> g:<sid>:<perm…> other read other write other execute

31 Starting the Database Server: Buffer-pool Access Controls
_mprosrv real uid: 123 .db owner 123 group 555 OS Security System Windows Shared-memory user-access (123) group-access (555)‏ UNIX ACL: allow Shared memory plays a large part in all OpenEdge RDBMS installations Access is controlled by OpenEdge, via the OS’s security system The user access is controlled via the [real] user-id of the database server, the group-id is taken from the database file’s real group-id All access for user and groups are Read-Write Takeaway: The OS’s security system will govern the overall ability to set user & group access, but OpenEdge fills in the values user read user write o:<sid>:<rw> g:<sid>:<rw> group read group write g:<sid>:<rw> g:<sid>:<rw>

32 Starting the Database Server: Changing System File Limits
_mprosrv hard file-size x 2GB hard number-files y … system ulimits hard file-size hard number-files … OS System Library .db .db .db Database file size limits: 32 bit: * 512 byte blocks ( : 2GB) 64 bit: * 512 ( : 1 TB ) file-size number-files

33 Connecting To a Database (running _progres
self-serving on local system)

34 User has to be able to Execute _progres (or _prowin)
Run OpenEdge 4GL programs Interact with 4GL programs Update data in the database via 4GL programs only print, , etc. depending on application

35 Users should NOT be able to
Modify any executables or shared libraries Read, copy, or modify any production database files Run any database utilities Start or stop database servers Read or modify other users files Change configuration files Sometimes we want: no access to shell or other programs, _progres started automatically when user logs in to system Touch database server machines !

36 Disaster

37 Self-serving client Has To Be Able To
Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc.

38 Starting Self-service ABL Clients: Connecting to the Buffer-pool
_progres effective uid: 0 effective gid: OS Security System Shared-memory user-access (123) group-access (555)‏ Shared memory plays a large part in all OpenEdge RDBMS installations Access is controlled by OpenEdge, via the OS’s security system The user access is controlled via the [real] user-id of the database server, the group-id is taken from the database file’s real group-id All access for user and groups are Read-Write Takeaway: The OS’s security system will govern the overall ability to set user & group access, but OpenEdge fills in the values

39 Starting the ABL Clients: Removing Privileges
OpenEdge _progres: Lowers uid after startup parameters executed Cannot re-set to a more privileged state Does not lower group-id [Does not remove privileges or ACEs] _progres real uid: effective uid: real gid: effective gid: 0 What OpenEdge does do is reduce its UNIX processes privileges after it has opened all of the database connections Windows processes, while they can have their privileges reduced, they are not inside OpenEdge The reduction in privileges comes through changing the process’s effective user-id to the real user-id OpenEdge reduction in privileges is irreversible by design (to protect against hackers)‏ This is ineffective when your OpenEdge processes are started from a root user; you change from root to root Tip: The reduction in user access occurs after all database startup command line options are complete, so doing a CONNECT inside the r-code runs with the real user-id (and all of its privileges)‏ Takeaway: Running a program and impersonating another user is OK, so long as that user is not root.

40 Connecting To a Database (running _progres with network connection)

41 User has to be able to Execute _progres Run OpenEdge 4GL programs
Interact with 4GL programs Communicate with server over network print, , etc. depending on application

42 Network Client Has To Be Able To
Load shared libraries Read and write database files Read .p, .r, and other files Create new .r files Create temporary files Map shared procedure library files etc. NO special privileges required

43 What about AppServers, and WebSpeed® ?

44 Shutting Down A Database
(running _mprshut)

45 Stopping The Database _mprshut real uid: effective uid: 0 real gid: effective gid: 0 _mprosrv real uid: effective uid: 0 real gid: effective gid: 0 OS System Library eq Two ways to stop another UNIX process: 1) ask it to stop; 2) send a software interrupt (i.e. Signalling) that forces it to stop When signalling another process, the OS’s security system gets involved. So the UNIX signal restrictions apply for all uses except root (who can signal any process)‏ OpenEdge inserts itself before the OS security system Checks to see if the uid is the owner uid of the database server, if not OpenEdge rejects the operation If proshut –F, the sending process must be root. (Windows is not checked)‏ Unix signals are handled by OpenEdge and abort the process Windows does not have signals, so on Windows OpenEdge is forced to “terminate” the process, which does not allow the process any chance at rundown. This is extremely dangerous Windows process termination must adhere to the OS security rules For the AdminServer, it also requires the same user-id to stop as was used to start Takeaway: Killing processes is serious, you do not do this unless all other means do not work Signal OpenEdge Signal IPC IPC

46 About Database Utilities

47 Database utilities need to be able to
Load shared libraries Open database files Connect to shared memory and semaphores Read and write database files Create and delete database files Create temporary files

48 Offline Database Utilities
Many utilities can run in single-user mode (and some have to) (e.g. database is offline) Index rebuild Offline backup procopy etc. Connect same way as single-user _progres

49 Online Database Utilities
Many utilities can be run online (e.g. database is in multi-user mode) dbanalysis prostrct add dbtool online backup etc. Connect same way as self-serving _progress

50 Advice

51 Advice Keep things simple
Don’t mix AdminServer & command-line database utilities Do administration locally to avoid user authentication issues OR: Use ssh for remote access (putty on Windows) Start with nothing is allowed If you are allowed to use the default OpenEdge installation, don’t change When you have to: refer back to this session’s information Remember: AdminServer and command line utility users ARE NOT THE SAME You can do a lot with group access controls! And do not forget set-group-id on UNIX systems Takeaway: Many installations do not need to run as the administrator, but nothing comes for free

52 Advice: Break the Administrator Habit
Develop access control plan Know requirement for bypassing system limits Use your own user accounts and groups Make maximum use of group level access Reserve root access to install, updates & emergencies Use the “sudo” utility

53 Advice: Learn sudo sudo can be used to sudo can
allow limited root access allow limited access to other accounts limit access to specific commands sudo can log usage log attempted usage when unauthorised attempts are made config file: /etc/sudoers Read the man page Example: sudo more /etc/sudoers

54 Best Practices Start with changing file & group ownership
Take away group and world access from database files database directories backup files and directories archived ai files and directories Take away world xrw from database utilities Create a database admin group Add set-group-id to $DLC/bin as appropriate

55 In Summary Server security requirements are increasing
OpenEdge security depends on the OS security system Administrator requirements are few, and there are alternative methods

56 ? Questions OS Security References:
NSA Guides: Securing RedHat Linux Securing Windows Server 2003

Download ppt "OPS-11: OpenEdge® and OS Security"

Similar presentations

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Sharing Files Richard Newman based on Smith “Elementary Information Security”

Sharing Files Richard Newman based on Smith “Elementary Information Security”
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Resource Sharing Over a Network

Resource Sharing Over a Network
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Similar presentations

Ads by Google