# ACLs on ZFS? Preventing "all pass" for user www



## patpro (Jul 18, 2016)

Hi all,

It can happen that a web site is compromised, then the apache user (www) is exploited by the hacker to perform other tasks on the server.
In order to slow the blackhat down, I would like to prevent www to access large portion of the filesystem. I don't want to setup a Jail, nor a chroot.
I'm running everything on ZFS, but it looks like ACLs are not available yet, on FreeBSD's ZFS…

I've ran this command on my server:


```
sudo -u www find / -ls
```

just to find out what files/directories www can list. I've got a 1631555 lines long output to read now. Of course it does not mean that www can actually read the files, but it's still information.

Any idea?


----------



## big_girl (Jul 19, 2016)

ZFS on FreeBSD supports ACLs since 8.1 release...

https://wiki.freebsd.org/ZFS
https://wiki.freebsd.org/NFSv4_ACLs


----------



## ShelLuser (Jul 19, 2016)

patpro said:


> It can happen that a web site is compromised, then the apache user (www) is exploited by the hacker to perform other tasks on the server.
> In order to slow the blackhat down, I would like to prevent www to access large portion of the filesystem. I don't want to setup a Jail, nor a chroot.


Not really much point to that, it more or less boils down to security through obscurity.

But what would work is limit the places where they can execute code. For example by denying this from within /tmp:


```
breve:/home/peter $ zfs get exec,mountpoint zroot/tmp
NAME       PROPERTY    VALUE       SOURCE
zroot/tmp  exec        off         local
zroot/tmp  mountpoint  /tmp        inherited from zroot
```
Though I obviously agree that ACL's can be useful in this scenario as well (explicitly denying execute permissions for the www user).


----------



## patpro (Jul 20, 2016)

big_girl said:


> ZFS on FreeBSD supports ACLs since 8.1 release...
> 
> https://wiki.freebsd.org/ZFS
> https://wiki.freebsd.org/NFSv4_ACLs



Thanks, unfortunately the handbook is not clear about that, and mentions only ACLs on UFS. I'll give this a try.


----------



## patpro (Jul 20, 2016)

ShelLuser said:


> Not really much point to that, it more or less boils down to security through obscurity.



I don't agree here. It's not obscurity, it's just another layer in the security cake (ie. proper filesystem access management). It would not resist a privilege escalation, but it would certainly block a script kiddie whose top skill is to infect web sites with php malware.

And by the way, ACLs are also a nice way to prevent www from running perl, gcc, and any other interpreter/compiler that a hacker could use.


----------

