Using minimum Service/Daemon user permissions to secure Iguana

Introduction

This article addresses minimizing the Iguana Service/Daemon access permissions to improve security. Restricting access is most important for Production server security. We also strongly recommend applying matching restrictions to Testing and Staging servers (which should mimic the production environment as closely as possible).

The same restrictions are not required on development servers, in fact developers usually run Iguana with full Administrator rights. There is a case to be made that developers should work with the same restrictions — but this does not work well in the real world.

Minimum Service/Daemon User Permissions [top]

The minimum permissions for the Iguana Service/Daemon user are:

  1. Full access (read, write, create, delete, execute) to all files in the Iguana install directory, for example:
  2. Access to files outside the Iguana install directory that are used by Iguana channels
    • Typically full update access (read, write, create, delete) will be required — for data files managed by Iguana
      Note: Data files should not be granted execute permission.
    • Sometimes read access will be sufficient — for data files managed by other applications
    • Sometimes execute permission may be needed — for running external utilities or programs
      Note: Other permissions may also be required depending on circumstances.

Iguana default Service/Daemon install permissions [top]

Windows

  • By default the Iguana Service is installed using the builtin LocalSystem user
    • It has extensive privileges on the local computer
    • It also acts as the computer on the network
  • An advantage of using the LocalSystem account is that the service has complete unrestricted access to local resources
  • disadvantage of using the LocalSystem account is that the service has complete unrestricted access to local resourcesis — and because of this a LocalSystem service can do things that would bring down the entire system

Linux and Mac

  • Linux and Mac operating systems work a little differently, the daemon process will run as the current user:
    • If you start the daemon it will run as the user you are currently logged on as
    • If you create a cron job to run the daemon, that cron job will also run as the current user, because it belongs to the current user (and is created in the crontab for the current user)

      Warning: We strongly recommend against running the Iguana daemon cron job as a personal user! Not using a personal user is (or should be) standard practice for all daemons and services.

      This is because when the person leaves the company the system administrator will disable (or delete) their user — and Iguana will mysteriously stop running!

    • Often cron jobs are created as root.
  • An advantage of using root is that the daemon has complete unrestricted access to local resources
  • disadvantage of using root is that the daemon has complete unrestricted access to local resources — and because of this a root daemon can do things that would bring down the entire system

Note: We explain how to run a cron job as a different user in the Linux/Mac section

Windows: Update Service User access [top]

These instructions use screenshots from Windows 7, but the process is the same in other Windows versions.

If you have any questions please contact us at support@interfaceware.com.

  1. Log on as the Local Administrator (or you will not be able to perform some of required actions)
  2. Create a new local user like IguanaService (or similar):
    1. Run the local user and group manager
      1. Search user and click Edit local users and groups
    2. Create a new user by selecting New User… from the Action menu:
    3. Enter the User details in the New User dialogue and click the Create button.
  3. Grant the new IguanaService user Full Control permissions to the Iguana install directory and all files within it
    Note: You could also create a group, grant it the permissions then add the user to the group.

    1. Find the directory in file explorer, then right click and choose properties:
    2. Go to the Security tab and click the Edit button:
    3. Click on the Add button in the permissions dialogue:
    4. Type in the name of the user you created and click Check Names:
    5. The system will identify the fully qualified user name, something like this:
    6. Click on the OK button to confirm.
    7. Select the newly added user in the list, then check Allow Full Control:
  4. Grant minimum access to “external” files outside the Iguana install directory that are used by Iguana channels.
    1. Files managed by Iguana will require Modify access (read, write, create, delete)
      Note: Not all external files need Modify!

      1. Follow the same steps as you did above (steps 3.1 to 3.6) to add the user name to the Permissions property page.
      2. Grant the Modify permission like this (do not check “Full-control”):
    2. Data files (managed by other applications) will typically only need read access:

      Note: Windows will apply permissions to the selected directory and all directories and files contained within it (the GUI applies permissions recursively by default). This may not be what you want.

      If you only need access to one or two files in a directory, then you will need to go through and remove the (unwanted) permissions from the contained files and directories. Alternatively you can use the attrib command at the windows command prompt to grant permissions to the directory and files individually (without the /r option).

    3. Utility programs will need execute permission:

      Note: As explained above, Windows will apply permissions to the selected directory and all directories and files contained within it. So you may need to remove unwanted permissions, or use the attrib command instead.

  5. Update the Iguana service to use the new IguanaService user
    1. Run Services, and find the Iguana service you want to update:
    2. Right click and select Properties from the menu
    3. Select the Log On tab in the dialogue:
    4. Check the This account option then click Browse:
    5. Type in the name of the user you created and click Check Names:
    6. The system will identify the fully qualified user name, something like this:
    7. Click on the OK button to confirm.
    8. Finally enter the password for the user and click OK:
    9. Restart the service
    10. Try out Iguana to make sure things are working correctly

Linux or Mac: Update Daemon User access [top]

These instructions are intended for users familiar with Linux or Mac administration. We explain what is required and include sample commands that should work in most cases. However your circumstances may vary so you should treat these steps as guidelines — not exact instructions.

If you have any questions please contact us at support@interfaceware.com.

Note: Historically Linux uses a simplified permission system that only allows a single group to “own” a file or directory and control permissions for it. This is different from Windows and Mac that implement POSIX compliant ACL permissions which allow multiple groups to control access to files and directories.

Nowadays most Linux systems also support POSIX ACL permissions, which can be managed using the setfacl and getfacl commands — however these are harder to work with and may not be supported on all Linux systems. Fortunately the traditional Linux permissions are sufficient for our purposes so we do not need to use ACL based permissions.

  1. Logon as superuser (root) or as directory/file owner (you can also use sudo to change user)
    Note: If external files have different owners then you will need to logon once as each owner.
  2. Create a new user like IguanaDaemon (or similar).

    We will use IguanaDaemon to run cron job that executes the Iguana daemon. This overcomes the issues of using root (too many privileges) or a personal user (which can be disabled/deleted if the person leaves the company). Using IguanaDaemon is much more secure as you can grant it the minimum privileges needed to run Iguana and its channels.
    Note: When rolling out new channels you may need to add permissions to access new data files, particularly if they are located on shared drives. This should be part of your normal development, test, rollout process.

  3. Grant full access (read, write, create, delete, execute) to the owner group for the Iguana install directory:
    1. Add the new IguanaDaemon user to the owner group for the Iguana install directory.
    2. Use chmod to grant “-rwxrwx‐‐‐” or “0770” permissions to the Iguana install directory and all directories and files within it:

      The two chmod commands “-rwxrwx‐‐‐” (symbolic) and “0770” (octal) are simply different formats for the same permissions, which format you prefer is up to you. Notice also that we need to use the recursive (-R) chmod option to apply permissions to all files and sub-directories.
      Note: Needing -R is a particular trap for Windows admins working with Linux as Windows automatically applies permissions (recursively) to all files and sub-directories by default.

      For example:

      $ # the home directory is the "default" linux/mac install directory
      $ # for Iguana if it is elsewhere then you should cd there instead
      $ cd <home> # go to the parent of the Iguana install directory 
      $ ls -d */  # list directories to confirm Iguana install dir
      $ chmod -rwxrwx‐‐‐ iNTERFACEWARE-Iguana -R # apply permissions
      $ chmod 0770 iNTERFACEWARE-Iguana -R       # octal alternative
    3. Use chmod to turn on the GID bit for the Iguana install directory and all sub-directories within it (but not files).

      Enabling the GID (set group id) bit ensures that any files created in the directory inherit the group permissions we just specified (if it is not set then any files created will inherit the group ownership of the user that creates them which may be different — and would make those files inaccessible to iguana). This is not necessary for all systems as BSD and MAC OS (based on BSD) implement this behaviour by default.
      Note: This is a another trap for Windows admins working with Linux as Windows inherits group file permissions from the parent directory by default.
      The two chmod commands “g+s” (symbolic) and “2770” (octal) are different ways to grant the same permissions, which you prefer is up to you. We also included the command to turn off the GID in case you make a mistake.
      Note: Using “2770” in step one does not work as the -R (recursion) option would cause the GID to be turned on for files as well which we don’t want to do.

      For example:

      $ # the home directory is the "default" linux/mac install directory
      $ # for Iguana if it is elsewhere then you should cd there instead
      $ cd <home> # go to the parent of the Iguana install directory 
      $ ls -d */  # list directories to confirm Iguana install dir
      $
      $ # you will need to repeat one of these command for each sub-directory
      $ chmod g+s iNTERFACEWARE-Iguana  # turn ON (set) the GID bit
      $ chmod 2770 iNTERFACEWARE-Iguana # octal to turn ON (set) the GID bit
      $
      $ # a recursive method to set the GID for directories but not files
      $ # please test this command before using on production
      $ find iNTERFACEWARE-Iguana -type d -exec chmod 2770 {} +
      $
      $ # how to turn OFF the GID if you make a mistake
      $ chmod g-s iNTERFACEWARE-Iguana  # turn OFF (unset) the GID bit
      $ chmod 0770 iNTERFACEWARE-Iguana # octal to turn OFF (unset) the GID bit
  4. Grant access to “external” files outside the Iguana install directory that are used by Iguana channels:

    Usually Iguana will need access to all files in a directory, in this case you should grant write access to the directory and all files contained in it. Occasionally Iguana will need access to some (but not all) files in a directory then you should grant access to the directory and then to each file individually.
    Note: The execute permission is usually not needed for “external” files.

    1. Typically write access (read, write, create, delete) will be required — for files managed by Iguana:
      • Add the new IguanaDaemon user to the owner group for the data directory and sub-directories (that Iguana needs access to)
      • Use chmod to ensure that group write permissions are enabled for the directory and files:
        Note: We included the command for execute permission though it is rarely needed.

        Ensuring that write permissions are enabled means that permissions of “-rwxrw‐‐‐‐” or “0760” or greater must be granted to the directory and files. Why not just directly set permissions to read “-rwxrw‐‐‐‐” or “0760”? Well it is possible that the group permissions could already be greater (0770 write access, for example)  because another application is managing the files and needs to execute files in the directory — then if we set the access to write (0760) the other application would lose the ability to execute the files (not good). In this case it would be ideal to use another group to apply permissions for Iguana (but then we would need to use ACLs). The downside here is that Iguana could get higher access than read because the owner group needs to have higher permissions.
        Note: In this case we suggest applying permissions manually to each file (there should only be a few) rather than using recursion.

        For example:

        $ # the home directory is the "default" linux/mac install directory
        $ # for Iguana if it is elsewhere then you should cd there instead
        $ cd <home> # go to the parent of the Iguana install directory 
        $ ls -d */  # list directories to confirm Iguana install dir
        $
        $ # this command will "add" write permission for the owner group
        $ # if permission is already higher permission will be unchanged
        $ # 0700 >changed> 0760
        $ # 0770 >unchanged> 0770 (and more importantly not reduced)
        $ chmod g+w iNTERFACEWARE-Iguana # add write permission for the group
        $ 
        $ # this command will "add" execute permission for the owner group
        $ # use this if you need to execute a utility program
        $ chmod g+x iNTERFACEWARE-Iguana # add execute permission for the group
      • Use chmod to turn on the GID bit for the data directory and any sub-directories (that Iguana uses) within them (but not files), for example:
        $ # the home directory is the "default" linux/mac install directory
        $ # for Iguana if it is elsewhere then you should cd there instead
        $ cd <home> # go to the parent of the Iguana install directory 
        $ ls -d */  # list directories to confirm Iguana install dir
        $
        $ # you will need to repeat one of these command for each sub-directory
        $ chmod g+s iNTERFACEWARE-Iguana  # turn ON (set) the GID bit
        $ chmod 2770 iNTERFACEWARE-Iguana # octal to turn ON (set) the GID bit
        $
        $ # only use recursion if you need to set permissions for ALL subdirectories
        $ # a recursive method to set directories but not files
        $ # please test this command before using on production
        $ find iNTERFACEWARE-Iguana -type d -exec chmod 2770 {} +
    2. Sometimes read access will be sufficient — for files managed by other applications:
      • Add the new IguanaDaemon user to the owner group for the data directory
      • Use chmod to ensure that group read permissions are enabled for the directory and files.
        Note: We included the command for execute permission though it is rarely needed.

        Ensuring that read permissions are enabled means that permissions of “-rwxr‐‐‐‐‐” or “0740” or greater must be granted to the directory and files. Why not just directly set permissions to read “-rwxr‐‐‐‐‐” or “0740”? Well it is possible that the group permissions could already be greater (0760 write access, for example)  because another application is managing the files and is using group access to get write permission — then if we set the access to read (0740) the other application would lose the ability to update the files (not good). In this case it would be ideal if we could use another group to apply permissions for Iguana (but then we would need to use ACLs). The downside here is that Iguana could get higher access than read because the owner group needs to have higher permissions.
        Note: In this case we suggest applying permissions manually to each file (there should only be a few) rather than using recursion.

        For example:

        $ # the home directory is the "default" linux/mac install directory
        $ # for Iguana if it is elsewhere then you should cd there instead
        $ cd <home> # go to the parent of the Iguana install directory 
        $ ls -d */  # list directories to confirm Iguana install dir
        $
        $ # this command will "add" read permission for the owner group
        $ # if permission is already higher permission will be unchanged
        $ # 0700 >changed> 0740
        $ # 0760 >unchanged> 0760 (and more importantly not reduced)
        $ chmod g+r iNTERFACEWARE-Iguana # add read permission for the group
        $ 
        $ # this command will "add" execute permission for the owner group
        $ # use this if you need to execute a utility program
        $ chmod g+x iNTERFACEWARE-Iguana # add execute permission for the group
  5. Adjust how the Iguana daemon is started so it will use the new IguanaDaemon user.

    We strongly recommend that you start your daemon using a cron job, so it will start automatically when the server starts. Therefore the instructions only address using a cron job (and not starting a daemon manually).
    Note: If you are uncertain about any of this please speak to your system administrator, or contact us at support@interfaceware.com.

    1. Delete the current cron job if one already exists, for example:
      • A cron job created as your own user:

        If your crontab only contains a single cron job that runs Iguana, then you can safely delete your crontab using the crontab -r command (you can easily create it again if you need to). We recommend viewing the the contents of your crontab first, using crontab -v, just to be sure there are no other jobs! If you want to keep your crontab then you will need to edit it, using crontab -e, and remove the line for the cron job that that runs Iguana. When you edit the crontab it will open in the system editor (probably vi or vim). The line for the cron job that runs Iguana once at startup (that you want to delete) will look something like this:
        @reboot /path/to/Iguana/install/directory/iguana_service

        # view the contents of your crontab file
        crontab -v
        # if it only contains the cron job to run Iguana then you can safely delete it
        crontab -r
        # if you are keeping your crontab then edit it and remove the line for 
        # the cron job that runs the Iguana daemon
        crontab -e
      • A cron job created as root:

        We recommend that do not use sudo, as there are reports that it doesn’t always play nicely with the crontab command. Instead you should use the “crontab -u” option like this crontab -e -u root to edit the crontab file. The line for the cron job that runs Iguana once at startup (that you want to delete) will look something like this:
        @reboot /path/to/Iguana/install/directory/iguana_service

        # edit the root (superuser) crontab and and remove the line for 
        # the cron job that runs the Iguana daemon
        # NOTE: you will need to know the root password
        crontab -e -u root
    2. Create the new cron job to run as IguanaDaemon:
      • Create the new cron job:

        We recommend that do not use sudo, as there are reports that it doesn’t always play nicely with the crontab command. Instead you can use the “crontab -u” option like this crontab -e -u IguanaDaemon to edit the crontab file. The line for the new cron job that runs Iguana once at startup will look something like this:
        @reboot /path/to/Iguana/install/directory/iguana_service

        # edit the IguanaDaemon crontab and and add the line for 
        # the new cron job that runs the Iguana daemon
        # NOTE: you will need to know the IguanaDaemon user password
        crontab -e -u IguanaDaemon

        Warning: Apparently there are some versions of Linux where the @reboot cron option (run at startup) only works for root. If you have this problem then you will need to start the Iguana daemon by using an init script instead.

        If you need more help speak to your system administrator, or contact us at support@interfaceware.com.

Leave a Reply