From Fedora Project Wiki
m (Fix formatting of rewrite rule numbered list)
m (Capitalize Fedora, remove 404 link for pam module.)
Line 1: Line 1:
{{header|infra}}
{{header|infra}}


= Fedorapeople.org =
= fedorapeople.org =


Fedorapeople.org was set up to provide a place for fedora contributors/developers to host files/scm repositories/etc and easily exchange files with people as part of what they do for fedora. It's been very successful. In order to make it secure and sensible we needed to take some semi-extreme steps to keep people from abusing our generosity.
[https://fedorapeople.org/ fedorapeople.org] was set up to provide a place for Fedora contributors and developers to host files, scm repositories, etc. and easily exchange them with people as part of what they do for Fedora. It has been very successful. In order to make it secure and sensible, we needed to take some semi-extreme steps to keep people from abusing our generosity.


== Getting the accounts on the box ==
== Getting the accounts on the box ==
We setup a new accountdb from the FAS named 'people'. This was a select of all the users in the db who are a member of any of the CLA_* groups and at least one other group. Then we used make-shell-accounts from the normal infrastructure to grab the nss_db files for the passwd/shadow/groups and the users dirs.


make-shell-accounts just grabs a tarball off of a central fedora server and unpacks it appropriately every hour. The server side job creates the tarball by querying the fas db for specific items and then creating 'fake homedirs' for the users that consist of a .ssh dir with their authorized_keys file. That way if a user modifies something in their homedir the only changes that get lost are ones to their authorized_keys file.
We setup a new accountdb from the FAS named ''people''. This was a select of all the users in the db who are a member of any of the CLA_* groups and at least one other group. Then we use <code>make-shell-accounts</code> from the normal infrastructure to grab the nss_db files for the passwd/shadow/groups and the users dirs.


finally we modified /etc/nsswitch.conf to include 'db' for passwd, shadow and groups. This means that the system uses nss_db as an additional module to do user/group lookups.
<code>make-shell-accounts</code> just grabs a tarball off of a central Fedora server and unpacks it appropriately every hour. The server side job creates the tarball by querying the FAS db for specific items and then creating 'fake homedirs' for the users that consist of a ''.ssh'' directory with their ''authorized_keys'' file. That way, if a user modifies something in their homedir, the only changes that get lost are ones in their ''authorized_keys'' file.


== polyinstantiated tempdirs ==
Finally, we modified ''/etc/nsswitch.conf'' file to include 'db' for passwd, shadow and groups. This means that the system uses nss_db as an additional module to do user/group lookups.
We wanted a way so that each user would have their own tmpdir and ONLY they could write to it. We also wanted the tmpdir to appear on the same filesystem as their homedir so we could make one set of quotas apply to all the places where the user could write. We used [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_namespace.html pam_namespace]  to configure /tmp and /var/tmp to point to a directory inside /home/tempdirs. In order to keep from having to make directories in advance for all of our users pam_namespace can make these on the fly at login.
 
== Polyinstantiated tempdirs ==
 
We wanted a way so that each user would have their own tmpdir and ONLY they could write to it. We also wanted the tmpdir to appear on the same filesystem as their homedir so we could make one set of quotas apply to all the places where the user could write. We used <code>pam_namespace</code> to configure ''/tmp'' and ''/var/tmp'' to point to a directory inside ''/home/tempdirs''. In order to keep from having to make directories in advance for all of our users, <code>pam_namespace</code> can make these on the fly at login.


/etc/pam.d/system-auth file:
/etc/pam.d/system-auth file:
<pre>
<pre>
session    optional      pam_keyinit.so revoke
session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    required      pam_limits.so
Line 26: Line 28:


/etc/security/namespace.conf:
/etc/security/namespace.conf:
<pre>
<pre>
/tmp    /home/tempdirs/tmp/            user      root,adm,apache,puppet,nagios,rpm
/tmp    /home/tempdirs/tmp/            user      root,adm,apache,puppet,nagios,rpm
/var/tmp /home/tempdirs/vartmp/          user      root,adm,apache,puppet,nagios,rpm
/var/tmp /home/tempdirs/vartmp/          user      root,adm,apache,puppet,nagios,rpm
</pre>


</pre>
Make the dirs and protect them from snooping:
Make the dirs and protect them from snooping:


Line 38: Line 41:
</pre>
</pre>


Reboot and any login will have a dir made automatically in that path and they will not be able to distinguish /tmp from that path. It is bindmounted in place only for their login instance. Only they can see it and multiple logins do not conflict with each other.
Reboot and any login will have a directory made automatically in that path and they will not be able to distinguish ''/tmp'' from that path. It is bindmounted in place only for their login instance. Only they can see it and multiple logins do not conflict with each other.


== quotas ==
== Quotas ==


We setup quotas in the normal way but with the user homedir and tempdirs all under one mounted location there's no place for the user to put files unsafely.
We setup quotas in the normal way but with the user homedir and tempdirs all under one mounted location, there's no place for the user to put files unsafely.


== mount options ==
== Mount options ==


We mounted all partitions where a user could write with:
We mounted all partitions where a user could write with:
Line 53: Line 56:


noatime is just for speed and less silly writes. Everything else is to keep them from doing anything sneaky.
noatime is just for speed and less silly writes. Everything else is to keep them from doing anything sneaky.
The above mount restrictions we also put on /dev/shm just to keep sneaky people from figuring out they could write there.
We also put mount restrictions above on ''/dev/shm'' just to keep sneaky people from figuring out they could write there.
 
== Application set refinement ==


== application set refinement ==
I sat for a while with yum shell open and purged any and everything there wasn't a compelling need for. I ended up adding back editors and most of the scms.
I sat for a while with yum shell open and purged any and everything there wasn't a compelling need for. I ended up adding back editors and most of the scms.


== apache configuration for username.fedorapeople.org auto-setup ==
== Apache configuration for username.fedorapeople.org auto-setup ==
We wanted to provide hostname spaces like username.fedorapeople.org for all of the people with accounts on the machine. To do this and provide sane 404 or redirects when someone asked for thisuserdoesnotexist.fedorapeople.org


We got normal fedorapeople.org/~username working as per normal <code>UserDir</code> option in apache.
We wanted to provide hostname spaces like ''username.fedorapeople.org'' for all of the people with accounts on the machine. To do this and provide sane 404 or redirects when someone asked for ''thisuserdoesnotexist.fedorapeople.org'', we got normal ''fedorapeople.org/~username'' working as per normal ''UserDir'' option in Apache.


Then we added in some serious rewriterule crack to make it all happen:
Then we added in some serious rewriterule crack to make it all happen:
Line 77: Line 80:


The above is mostly:
The above is mostly:
# match anything.fedorapeople.org, except for www
 
# lowercase the first part of the server name
# Match ''anything.fedorapeople.org'', except for www
# if there is anything in the first part then take it and rewrite that path to:<br><code>/home/fedora/$thatpart/public_html/whatever_else_was_on_the_url</code>
# Lowercase the first part of the server name
# If there is anything in the first part then take it and rewrite that path to: ''/home/fedora/$thatpart/public_html/whatever_else_was_on_the_url''


That's really it.
That's really it.


[[Category:Infrastructure]]
[[Category:Infrastructure]]

Revision as of 09:20, 5 April 2020

fedorapeople.org

fedorapeople.org was set up to provide a place for Fedora contributors and developers to host files, scm repositories, etc. and easily exchange them with people as part of what they do for Fedora. It has been very successful. In order to make it secure and sensible, we needed to take some semi-extreme steps to keep people from abusing our generosity.

Getting the accounts on the box

We setup a new accountdb from the FAS named people. This was a select of all the users in the db who are a member of any of the CLA_* groups and at least one other group. Then we use make-shell-accounts from the normal infrastructure to grab the nss_db files for the passwd/shadow/groups and the users dirs.

make-shell-accounts just grabs a tarball off of a central Fedora server and unpacks it appropriately every hour. The server side job creates the tarball by querying the FAS db for specific items and then creating 'fake homedirs' for the users that consist of a .ssh directory with their authorized_keys file. That way, if a user modifies something in their homedir, the only changes that get lost are ones in their authorized_keys file.

Finally, we modified /etc/nsswitch.conf file to include 'db' for passwd, shadow and groups. This means that the system uses nss_db as an additional module to do user/group lookups.

Polyinstantiated tempdirs

We wanted a way so that each user would have their own tmpdir and ONLY they could write to it. We also wanted the tmpdir to appear on the same filesystem as their homedir so we could make one set of quotas apply to all the places where the user could write. We used pam_namespace to configure /tmp and /var/tmp to point to a directory inside /home/tempdirs. In order to keep from having to make directories in advance for all of our users, pam_namespace can make these on the fly at login.

/etc/pam.d/system-auth file:

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore]  pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_namespace.so

/etc/security/namespace.conf:

/tmp     /home/tempdirs/tmp/             user      root,adm,apache,puppet,nagios,rpm
/var/tmp /home/tempdirs/vartmp/          user      root,adm,apache,puppet,nagios,rpm

Make the dirs and protect them from snooping:

mkdir -p /home/tempdirs/tmp /home/tempdirs/vartmp
chmod 000 /home/tempdirs/*

Reboot and any login will have a directory made automatically in that path and they will not be able to distinguish /tmp from that path. It is bindmounted in place only for their login instance. Only they can see it and multiple logins do not conflict with each other.

Quotas

We setup quotas in the normal way but with the user homedir and tempdirs all under one mounted location, there's no place for the user to put files unsafely.

Mount options

We mounted all partitions where a user could write with:

usrquota,noatime,noexec,nosuid,nodev

noatime is just for speed and less silly writes. Everything else is to keep them from doing anything sneaky. We also put mount restrictions above on /dev/shm just to keep sneaky people from figuring out they could write there.

Application set refinement

I sat for a while with yum shell open and purged any and everything there wasn't a compelling need for. I ended up adding back editors and most of the scms.

Apache configuration for username.fedorapeople.org auto-setup

We wanted to provide hostname spaces like username.fedorapeople.org for all of the people with accounts on the machine. To do this and provide sane 404 or redirects when someone asked for thisuserdoesnotexist.fedorapeople.org, we got normal fedorapeople.org/~username working as per normal UserDir option in Apache.

Then we added in some serious rewriterule crack to make it all happen:

RewriteCond ${lowercase:%{SERVER_NAME}} ^www\.fedorapeople\.org$
RewriteRule ^/(.*)$ http://fedorapeople.org/$1 [R,L] 

RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-] +\.fedorapeople\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] 
RewriteRule ^([a-z0-9-] +)\.fedorapeople\.org/(.*) /home/fedora/$1/public_html/$2 [L] 

RewriteRule   ^(.+)  -  [PT] 

The above is mostly:

  1. Match anything.fedorapeople.org, except for www
  2. Lowercase the first part of the server name
  3. If there is anything in the first part then take it and rewrite that path to: /home/fedora/$thatpart/public_html/whatever_else_was_on_the_url

That's really it.