Security in ACS

In order to limit the amount of damage someone exploiting a security in ACS can do, it is possible to run AOLserver in a chroot environment (see http://www.aolserver.com/documentation/3.0/admin/sec-ch2.htm#8704). The tricky part to doing this is setting up a root directory that will let the Oracle driver find all the files it needs to work.

Setting up the chroot directory

In order to keep things simple, we'll use the server directory as the new root (let's call it /home/aolserver). We need to recreate a few system directories and populate them:

cd /home/aolserver
mkdir bin dev etc tmp usr var

# Create some device files necessary for Oracle.
# (The following is Solaris specific.)
cd dev
mknod kmem c 13 1
mknod mem c 13 0
mknod zero c 13 12
chmod a+w zero

# Copy necessary files to /etc.
cd ../etc
cp /etc/group /etc/hosts /etc/nsswitch.conf /etc/resolv.conf /etc/netconfig .
grep nsadmin /etc/passwd > passwd

# Create a symlink as /home/aolserver, so we don't have to edit all our
# .ini files.
cd ..
mkdir home
ln -s . home/aolserver

# Make tmp directory world writable.
chmod 1777 tmp 
mkdir var/tmp
chmod 1777 var/tmp

# Copy rm to bin.
cp /bin/rm bin

# Copy unzip to usr/bin.
mkdir usr/bin
cp /usr/bin/unzip usr/bin

# Copy shared libraries to usr.
mkdir usr/lib
cp /usr/lib/*.a /usr/lib/*.so.* usr/lib

# If using the ecommerce module with ImageMagick to do image resizing,
# copy ImageMagick files if available.
mkdirhier usr/local/bin
mkdirhier usr/local/lib
cp /usr/local/bin/convert usr/local/bin
cp /usr/local/lib/ImageMagick* usr/local/lib

# Copy timezone files.
mkdirhier usr/share/lib
cp -r /usr/share/lib/zoneinfo usr/share/lib

# The page root must also be within the chroot environment.
mkdir web
mv /web/servername /home/aolserver/web
ln -s /home/aolserver/web/servername /web/servername

# Copy necessary Oracle files to new root.
mkdirhier /home/aolserver$ORACLE_HOME
cd /home/aolserver$ORACLE_HOME
(cd $ORACLE_HOME; tar cf - bin dbs lib network ocommon rdbms) | tar xvf -

Setting up Oracle

Unfortunately, when running Oracle in dedicated server mode, each client process starts up its own server process which requires direct access to the data files. This will obviously not work in a chroot environment unless all the Oracle data files are contained within the chroot directory. This is not desirable and generally not possible.

One workaround for this is to connect to Oracle through a TCP connection. This is by far the easiest to set up. The downside is that there is some performance loss going through TCP instead of using IPC. To do this, edit $ORACLE_HOME/network/admin/listener.ora to add a TCP listener and $ORACLE_HOME/network/admin/tnsnames.ora to add a network alias for that listener (see the Net8 Administrator's Guide, or just use netasst). Then have AOLserver use it by putting the network alias as the Datasource entry for the connection pool in your server's .ini file.

If you insist on using IPC, you must configure the database to run in multi-threaded server (MTS) mode. Configuring MTS mode can be somewhat tricky (see this doc). In brief, you must:

add the following to your initSID.ora file:

# Configure MTS for IPC connections and start up one server.
mts_dispatchers = "(PROTOCOL = IPC)(DISP=1)(mul=OFF)(pool=OFF)(PRES=TTC)"
mts_max_dispatchers = 5
mts_servers = 1
mts_max_servers = 20

Make sure there is an IPC listener configured in listener.ora:

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
    )
  )

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC = 
      (SID_NAME = PLSExtProc) 
      (ORACLE_HOME = /ora8/m01/app/oracle/product/8.1.6) 
      (PROGRAM = extproc) 
    ) 
    (SID_DESC = 
      (GLOBAL_DBNAME = ora8) 
      (ORACLE_HOME = /ora8/m01/app/oracle/product/8.1.6) 
      (SID_NAME = ora8) 
    ) 
  )

add a network alias to tnsnames.ora:

ORA8_IPC =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
    )
    (CONNECT_DATA =
      (SERVICE_NAME = ora8)
      (SRVR = SHARED)
    )
  )

and use that network alias as the datasource in your server's .ini file.

To put Oracle into MTS mode, you must now restart the Oracle server. The listener should be started before the server so that the server can register itself properly with the listener. To verify that Oracle is in MTS mode, connect to Oracle using "sqlplus username/password@ora8_ipc" (substitute the network alias you put in tnsnames.ora for ora8_ipc), and run this SQL statement: select username, program, server from v$session where audsid=userenv('sessionid');. It should return "SHARED" in the SERVER column. If it says "DEDICATED" instead, your server is not in MTS mode.

One last problem with running ACS in a chrooted environment is that Oracle uses Unix domain socket files for IPC that are created in /var/tmp/.oracle. We must replace /var/tmp/.oracle with a symlink to a directory underneath the chroot directory. This must only be done with Oracle shut down!

cd /home/aolserver
mkdir var/tmp/.oracle
chown oracle var/tmp/.oracle
chmod 777 var/tmp/.oracle
# Make sure Oracle is not running before you do this next step!
rm -r /var/tmp/.oracle
ln -s /home/aolserver/var/tmp/.oracle /var/tmp/.oracle

A caveat about specifying directories in .ini files: every path must be relative to the chroot directory (e.g., /home/nsadmin/foo/bar -> /foo/bar), except for AuxConfigdir, which must be an absolute path.

Running AOLserver

Run AOLserver using

/home/aolserver/bin/nsd-oracle -ikc
/home/aolserver/servername.ini -r /home/aolserver

from inittab.

Disk Issues

Chrooting a server requires that everything related to the running of AOLserver reside under a single directory. This may cause problems with disk space, since what before was split up onto two directories (the server root and the page root) now must go under the same directory. One workaround is to mount a separate disk as /home/aolserver/web and symlink it to /web.

jsc@arsdigita.com