Gabatarwar
Don samar da ƙarin matakin tsaro na uwar garken, zaka iya amfani rarraba damar shiga. Wannan ɗaba'ar za ta bayyana yadda zaku iya tafiyar da apache a cikin kurkuku tare da samun dama ga waɗannan abubuwan haɗin gwiwa waɗanda ke buƙatar samun dama ga apache da php suyi aiki daidai. Amfani da wannan ka'ida, zaku iya iyakance ba kawai Apache ba, har ma da kowane tari.
Horo
Wannan hanyar ta dace da tsarin fayil ɗin ufs kawai; a cikin wannan misali, za a yi amfani da zfs a cikin babban tsarin, da ufs a cikin kurkuku, bi da bi. Mataki na farko shine sake gina kwaya; lokacin shigar da FreeBSD, shigar da lambar tushe.
Bayan an shigar da tsarin, gyara fayil ɗin:
/usr/src/sys/amd64/conf/GENERIC
Kuna buƙatar ƙara layi ɗaya kawai zuwa wannan fayil:
options MAC_MLS
Alamar mls/high za ta sami matsayi mai mahimmanci a kan mls/ƙananan lakabin, aikace-aikacen da za a ƙaddamar da mls/ƙananan lakabin ba za su iya samun damar fayilolin da ke da lakabin mls/high ba. Ana iya samun ƙarin cikakkun bayanai game da duk alamun da ake da su a cikin tsarin FreeBSD a cikin wannan .
Na gaba, je zuwa /usr/src directory:
cd /usr/src
Don fara gina kwaya, gudu (a cikin maɓallin j, ƙididdige adadin ƙididdiga a cikin tsarin):
make -j 4 buildkernel KERNCONF=GENERIC
Bayan an haɗa kwaya, dole ne a shigar da shi:
make installkernel KERNCONF=GENERIC
Bayan shigar da kernel, kada ku yi sauri don sake kunna tsarin, tun da yake wajibi ne don canja wurin masu amfani zuwa aji na shiga, tun da aka tsara shi a baya. Shirya fayil ɗin /etc/login.conf, a cikin wannan fayil ɗin kuna buƙatar gyara tsoffin ajin shiga, kawo shi zuwa fom:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Layin :label=mls/daidai zai ba masu amfani waɗanda ke cikin wannan ajin damar samun damar fayiloli waɗanda aka yiwa alama da kowace alama (mls/low, mls/high). Bayan waɗannan magudin, kuna buƙatar sake gina ma'ajin bayanai kuma sanya tushen mai amfani (da waɗanda suke buƙata) a cikin wannan ajin shiga:
cap_mkdb /etc/login.conf
pw usermod root -L default
Domin manufar ta shafi fayiloli kawai, kuna buƙatar gyara fayil ɗin /etc/mac.conf, barin layi ɗaya kawai a ciki:
default_labels file ?mls
Hakanan kuna buƙatar ƙara ƙirar mac_mls.ko zuwa autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Bayan wannan, zaku iya sake kunna tsarin a amince. Yadda ake ƙirƙirar Kuna iya karanta shi a ɗaya daga cikin littattafai na. Amma kafin ƙirƙirar gidan yari, kuna buƙatar ƙara rumbun kwamfutarka kuma ƙirƙirar tsarin fayil akansa kuma kunna multilabel akansa, ƙirƙirar tsarin fayil ɗin ufs2 tare da girman tari na 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Bayan ƙirƙirar tsarin fayil kuma ƙara lakabi mai yawa, kuna buƙatar ƙara rumbun kwamfutarka zuwa /etc/fstab, ƙara layin zuwa wannan fayil:
/dev/ada1 /jail ufs rw 0 1
A cikin Mountpoint, saka directory ɗin da za ku hau da rumbun kwamfutarka; a cikin Pass, tabbatar da saka 1 (a wane tsari za a bincika wannan rumbun kwamfutarka) - wannan ya zama dole, tunda tsarin fayil ɗin ufs yana kula da yankewar kwatsam. . Bayan waɗannan matakan, saka faifai:
mount /dev/ada1 /jail
Shigar da gidan yari a cikin wannan jagorar. Bayan gidan yari yana gudana, kuna buƙatar yin manipulations iri ɗaya a ciki kamar yadda yake a cikin babban tsarin tare da masu amfani da fayilolin /etc/login.conf, /etc/mac.conf.
gyara
Kafin shigar da alamun da ake buƙata, Ina ba da shawarar shigar da duk fakitin da ake buƙata; a cikin yanayina, za a saita alamun la'akari da waɗannan fakiti:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
A cikin wannan misalin, za'a saita alamun la'akari da dogaron waɗannan fakitin. Tabbas, zaku iya yin shi mafi sauƙi: don / usr / local / lib babban fayil da fayilolin da ke cikin wannan jagorar, saita mls / ƙananan lakabi da fakitin da aka shigar (misali, ƙarin kari don php) za su sami damar shiga. ɗakunan karatu a cikin wannan kundin adireshi, amma yana da kyau a gare ni in ba da dama ga waɗannan fayilolin da suka zama dole. Dakatar da gidan yari kuma saita mls/high takalmi akan duk fayiloli:
setfmac -R mls/high /jail
Lokacin saita alamomi, za a dakatar da tsarin idan setfmac ya ci karo da hanyoyin haɗin yanar gizo masu wuya, a cikin misali na na share hanyoyin haɗin kai a cikin kundayen adireshi masu zuwa:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Bayan an saita alamun, kuna buƙatar saita alamar mls/ƙananan don apache, abu na farko da kuke buƙatar yi shine gano abubuwan da ake buƙata don fara apache:
ldd /usr/local/sbin/httpd
Bayan aiwatar da wannan umarni, za a nuna abin dogara akan allon, amma saita alamun da ake buƙata akan waɗannan fayilolin ba za su isa ba, tunda kundin adireshi da waɗannan fayilolin suke suna da tambarin mls/high, don haka waɗannan kundayen adireshi kuma suna buƙatar yin lakabi. mls/low. Lokacin farawa, apache kuma zai fitar da fayilolin da suka wajaba don gudanar da shi, kuma don php ana iya samun waɗannan abubuwan dogaro a cikin log ɗin httpd-error.log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Wannan jeri ya ƙunshi mls / ƙananan tags ga duk fayilolin da suka zama dole don daidaitaccen aiki na haɗin apache da php (ga waɗancan fakitin da aka shigar a cikin misali na).
Taɓawar ƙarshe shine saita gidan yari don gudana a matakin mls/daidai, da apache a mls/ƙananan matakin. Don fara kurkuku, kuna buƙatar yin canje-canje zuwa rubutun /etc/rc.d/jail, nemo ayyukan jail_start a cikin wannan rubutun, canza canjin umarni zuwa tsari:
command="setpmac mls/equal $jail_program"
Umurnin setpmac yana gudanar da fayil ɗin da za a iya aiwatarwa a matakin ƙarfin da ake buƙata, a wannan yanayin mls/daidai, don samun dama ga duk alamun. A cikin apache kuna buƙatar gyara rubutun farawa /usr/local/etc/rc.d/apache24. Canza aikin apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Littafin ya ƙunshi wani misali, amma ban iya amfani da shi ba saboda na ci gaba da samun saƙo game da rashin iya amfani da umarnin setpmac.
ƙarshe
Wannan hanyar rarraba damar shiga za ta ƙara ƙarin matakin tsaro zuwa apache (ko da yake wannan hanya ta dace da kowane tari), wanda kuma yana gudana a cikin kurkuku, a lokaci guda, ga mai gudanarwa duk wannan zai faru a bayyane kuma ba tare da saninsa ba.
Jerin hanyoyin da suka taimaka mini wajen rubuta wannan ɗaba'ar:
source: www.habr.com