AOLserver Security Guide

$Header: /cvsroot/aolserver/,v 1.2 2002/09/26 19:51:32 kriston Exp $

This chapter provides guidelines for ensuring the security of systems running AOLserver. It describes the issues that must be considered and the associated modifications that should be made to AOLserver installations.

General nsadmin Passwords

By default, the nsadmin password for AOLserver is either set to NULL or to a poor password. Set an acceptable password for nsadmin as described below.

Edit the nsadmin entry in the /modules/nsperm/passwd file. For example, the default passwd file contains this nsadmin entry: nsadmin:CUdnvgBYocLSI:::::

Substitute an alternate encrypted password in place of CUdnvgBYocLSI.

To encrypt a password, you can copy an already-encrypted password from the /etc/passwd file or run the bin/nspasswd utility. It will prompt you for a password and return the encrypted version of the password.

For more information about the passwd file, see the "Defining Users" section.

Permission Settings

It is more secure to avoid using the nsperm module and use file-level security for ADPs. If you must use the nsperm module, set appropriate permissions records as follows:

* Maintain the same permission records for GET and POST; they actually provide the same permissions.

* Remove any permission records related to network publishing (PUT, DELETE, MKDIR, and BROWSE) for all users except nsadmin.

* Keep in mind the inheritance rules for permission records. In general, a permission record for a directory also applies to the directories underneath it.

To define AOLserver permissions, create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains comments that explain how to add entries to the file.

For more information about setting permissions, see the "Permissions" section.

Recommended Security Modifications

The actions described in this section are recommended, but not required, to ensure the security of systems running AOLserver.

AOLserver Version

In general, AOLserver versions 3.0 and higher should be used whenever possible, because they are more secure than earlier versions of AOLserver.

* AOLserver can be run in a chroot environment.
* The configuration file, which has a new Tcl format, is executed in a separate, temporary interpreter that is destroyed before startup begins. The configuration file memory buffer is then zeroed after parsing.
* The nsd binary can be stored outside the root directory because AOLserver no longer locates and re-executes itself.
* The configuration file can be stored outside the root directory, because AOLserver opens and reads the configuration file before running chroot().
* The new nscp module, which allows connections only from localhost, provides a secure control port interface that allows ad hoc Tcl evaluation and other server administration features. For more information about the control port interface, see the "AOLserver's Control Port Interface" section.

Secure chroot Environment

AOLserver should be run in a secure chroot() environment whenever possible.

In Versions 3.0 or higher, AOLserver supports a -r command line option to run AOLserver in a chroot() environment. It provides the following benefits:

* The chroot() system call updates the process such that all absolute filenames are relative to a new root directory instead of the actual mounted file system.

* The chroot() call is irrevocable. Once chroot() returns, the server cannot access any file above the new root directory.

* Although it does not actually protect any of the underlying content, scripts, or protected databases, chroot() is the single most effective tool for protecting the server machine and sensitive information, such as user passwords and configuration files, from view.

To run AOLserver in a chroot() environment, you need only copy a few files and directories to the new root directory. For example, on the SGI platform, you would execute the following commands to create new directories and copy the necessary files to them:

mkdir $root/dev $root/tmp $root/etc
chmod 1777 $root/tmp
cd $root/dev; /dev/MAKEDEV generic usema
cp /etc/passwd /etc/resolve.conf $root/etc

Then, you can run AOLserver with the -r option as in this example: nsd -t nsd.tcl -r $root

For more information about the nsd command line, see the "AOLserver Command Line" section.

Restricted Content

Determine whether any of the content available to an AOLserver in a chroot() environment would be restricted. In general, AOLserver should be read-only and everything it can read should be world-readable. This allows the AOLserver administrator to ignore the nsperm module altogether.

If any of the content available to AOLserver is restricted, the AOLserver administrator needs to define the appropriate permissions with the nsperm module. The administrator should be very clear which areas are blocked off and know both the URL and METHOD for the restricted areas.

It is preferable to allow the GET method for all URLs and have nothing restricted accessible through AOLserver.

Tcl Library

Limit the available Tcl functions to just those functions that are necessary by that particular AOLserver installation. Purge the Tcl library of unnecessary functions. For example, if the site doesn't send e-mail, remove the ns_sendmail procedures.

Some potentially unsafe commands you may want to consider removing are:

* File system related functions, such as open, read, and puts
* The AOLserver ns_sock* Tcl functions
* The Tcl 7.6 socket routines
* The exec command
* The file command, or at least the delete and rename features
* The exit command

This code example disables the open command:

static int
AddCmds(Tcl_Interp, void *arg) {
    Tcl_CreateCommand(interp, "open", BadCmd, NULL, NULL);
    return TCL_OK;

static int
BadCmd(ClientData dummy, Tcl_Interp *interp, int argc, char **argv) {
    Tcl_AppendResult(interp, "disabled command: ", argv[0], NULL);
    return TCL_ERROR;

Database Access

Database access should be restricted with read-only logins to the server and queries through stored procedures. Stored procedure capabilities were added to AOLserver in Version 3.0. Also, all ad hoc database forms and system catalog query functions were removed in Version 3.0.

For more information about the Tcl functions for stored procedures, see the "ns_db" section of the AOLserver Tcl Developer's Guide. For more information about the C functions for stored procedures, see the "Stored Procedure Functions" section of the AOLserver C Developer's Guide.

Control Port Interface

The control port interface should not be used unless absolutely necessary. Although it is more secure than the /NS/Admin interface from earlier AOLserver versions because it only allows connections from localhost, it still poses a risk potential.

For more information about the control port interface, see the "AOLserver's Control Port Interface" section.