Month: March 2014

Sandbox apache (httpd) for better security.

Apache/httpd is something which you would like to have contained. And now fedora provides a native way/mechanism to to so with virt-sandbox-service. With this, you can create a virtualized sanbox service and then connect/list/manage such with virsh.

We will be using LXC.

Basically its couple of commands and you have a contained service running.

# List all the containers
virsh -c lxc:/// list

# Create the sandbox, all default parameters. Will take dhcp address.
virt-sandbox-service create -C  --username amitag -u httpd.service httpd_conta

# Create the container with static IP.
virt-sandbox-service create -C  --username amitag -u httpd.service -N \
address=192.168.122.11/24%192.168.122.255  httpd_conta#Enable and start the service.
virt-sandbox-service start httpd_conta
virt-sandbox-service enable httpd_conta#Delete the container if not required any more.
virt-sandbox-service delete  httpd_conta

 

 

Sandbox Firefox – First step to security

First we will setup cgroup to limit cpu and memory usage, so here we go:

Add the configuration in /etc/cgconfig.conf

#------start cgconfig----------------
#new group
group firefox {
    perm {
        task {
#user your login id and group here, so that you can control this group
        uid = amitag;
        gid = amitag;
        }
        admin {
# same as above, set to your login id and group.
           uid = amitag;
           gid = amitag;
        }
    }
# set the limits for cpu.. by default there are 1024 shares of cpu with no other groups,
# so share of 102 would be around 10% .
    cpu{
        cpu.shares="102";
    }
# limit the cpus to be used to only 0-1
    cpuset{
        cpuset.cpus=0-1;
        cpuset.mems=0;
    }
# limit the maximum memory to 700Mb.
    memory {
        memory.limit_in_bytes="700M";
        memory.max_usage_in_bytes="0";
    }
}
#------end cgconfig----------------

 

 

Now, we will configure cdred service:

For this we will add few lines in /etc/cgrules.conf

#------start cgrules.conf----------------
amitag:firefox cpu,memory   firefox
#------end cgrules.conf----------------

The above will allow cgroup to ensure that whenever you start firefox, it is put in the firefox group for user amitag. So, you would need to change amitag with your username here. Now, the fun part, I know about this only in Fedora (and guess it can be done with apparmour on Ubuntu, but dont know how to do that.) We will make a contianer for the firefox browser so that it cannot access any files from

#------start firefox_sandbox----------------
# If you are getting errors in audit logs, then you may need to do chcon
# chcon -R -t bin_t /home/amitag/Downloads/fedora/Firefox/firefox/
cmd=firefox

find ~/.mozilla -type f >/tmp/ffiles.sbox
find ~/.fluxbox -type f >>/tmp/ffiles.sbox
find ~/GNUstep -type f >>/tmp/ffiles.sbox
find ~/.bash.d/ -type f >>/tmp/ffiles.sbox
find ~/.ssh/ -type f >>/tmp/ffiles.sbox
echo "~/.bashrc" >>/tmp/ffiles.sbox# This is what does the magic...
cgexec --sticky -g cpu,memory,cpuset:firefox sandbox -X -w 1024x768 -W fluxbox -t sandbox_web_t -I /tmp/ffiles.sbox $cmd &
#------end firefox_sandbox----------------

Note: On fedora, I needed the following packages, not sure about ubunut:

  • libcgroup-tools
  • policycoreutils-python
  • fluxbox

fetchmail to get the mails from your imap account

Now, that you have set the RPi to send emails, lets do the next best thing. Setup fetchmail so that we can setup a cron job to run and get us the emails on Raspberry Pi. What can we do with these emails, lots 🙂 (I hope you already have a Raspberry Pi, if not then head over to  element14.)

For now, first install fetchmail:

sudo apt-get install fetchmail

and if you are one of the guys who wants easy configuration then :

sudo apt-get install fetchmailconf

If you are using fetchmailconf, then just fire up “fetchmailconf”. You will get a GUI, where you can configure the setting. If not, then you can create a file “~/.fetchmailrc” which should look something like this:

poll 
protocol IMAP
user "" with password "" mda ""
folder 'INBOX'
fetchlimit 1
# do not delete the mails on server.
keep
# do not re-write the headers for the mail, get saner headers for the script to process.
no rewrite
# use ssl
ssl

 

Enhanced by Zemanta