Taw qhia
Txhawm rau muab qib ntxiv ntawm kev ruaj ntseg ntawm lub server, koj tuaj yeem siv Kev faib tawm kev nkag mus. Tsab xov xwm no yuav piav qhia txog yuav ua li cas khiav Apache hauv tsev loj cuj, txwv kev nkag mus rau cov khoom uas xav tau rau Apache thiab PHP kom ua haujlwm tau zoo. Lub hauv paus ntsiab lus no tuaj yeem siv los txwv kev nkag mus tsis yog rau Apache xwb, tab sis kuj rau lwm yam khoom siv.
Kev cob qhia
Txoj kev no tsuas yog siv rau UFS filesystem xwb. Hauv qhov piv txwv no, lub host system yuav siv ZFS, thiab lub jail yuav siv UFS. Ua ntej, koj yuav tsum rov sau dua lub kernel. Yog tias koj tab tom txhim kho FreeBSD, txhim kho cov code.
Tom qab lub system raug teeb tsa, kho cov ntaub ntawv:
/usr/src/sys/amd64/conf/GENERIC
Koj tsuas yog yuav tsum ntxiv ib kab rau cov ntaub ntawv no:
options MAC_MLS
Daim ntawv lo mls/high yuav hloov daim ntawv lo mls/low. Cov ntawv thov khiav hauv qab daim ntawv lo mls/low yuav tsis tuaj yeem nkag mus rau cov ntaub ntawv uas muaj daim ntawv lo mls/high. Xav paub ntxiv txog txhua daim ntawv lo muaj nyob hauv FreeBSD system tuaj yeem pom hauv tsab xov xwm no. .
Tom ntej no, mus rau daim nplaub tshev /usr/src:
cd /usr/src
Yuav pib tsim lub kernel, khiav (hauv j qhov tseem ceeb, qhia tus naj npawb ntawm cov cores hauv lub system):
make -j 4 buildkernel KERNCONF=GENERIC
Thaum lub kernel raug compiled, nws yuav tsum tau installed:
make installkernel KERNCONF=GENERIC
Tom qab txhim kho lub kernel, tsis txhob maj rov pib dua lub system, vim koj yuav tsum teeb tsa chav kawm nkag mus ua ntej hloov cov neeg siv mus rau nws. Kho cov ntaub ntawv /etc/login.conf. Hauv cov ntaub ntawv no, koj yuav tsum kho cov chav kawm nkag mus, ua rau nws zoo li no:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Cov kab :label=mls/equal yuav tso cai rau cov neeg siv hauv chav kawm no nkag mus rau cov ntaub ntawv cim nrog txhua daim ntawv lo (mls/low, mls/high). Tom qab cov kev hloov pauv no, koj yuav tsum tsim kho lub database dua thiab tso tus neeg siv hauv paus (thiab lwm tus neeg siv uas xav tau nws) rau hauv chav kawm nkag mus no:
cap_mkdb /etc/login.conf
pw usermod root -L default
Yuav kom txoj cai siv rau cov ntaub ntawv xwb, koj yuav tsum hloov kho cov ntaub ntawv /etc/mac.conf thiab tsuas yog tso ib kab hauv nws:
default_labels file ?mls
Koj kuj tseem yuav tsum ntxiv mac_mls.ko module rau kev pib:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Tom qab qhov no, koj tuaj yeem rov pib dua lub kaw lus kom ruaj ntseg. Yuav ua li cas los tsim Koj tuaj yeem nyeem txog qhov no hauv ib qho ntawm kuv cov ntawv tshaj tawm. Tab sis ua ntej tsim lub tsev loj cuj, koj yuav tsum ntxiv lub hard drive, tsim ib lub file system rau nws, thiab qhib multilabel rau nws. Tsim ib lub file system ufs2 nrog qhov loj me ntawm 64 KB:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Tom qab tsim cov ntaub ntawv system thiab ntxiv cov multilabel, koj yuav tsum ntxiv lub hard drive rau /etc/fstab, ntxiv kab rau cov ntaub ntawv no:
/dev/ada1 /jail ufs rw 0 1
Hauv Mountpoint, qhia meej qhov chaw uas koj yuav mount lub hard drive. Hauv Pass, nco ntsoov qhia meej 1 (qhov kev txiav txim uas lub hard drive no yuav raug kuaj xyuas). Qhov no yog qhov tsim nyog, vim tias UFS cov ntaub ntawv system rhiab heev rau kev cuam tshuam hluav taws xob tam sim ntawd. Tom qab cov kauj ruam no, mount lub drive:
mount /dev/ada1 /jail
Nruab lub tsev kaw neeg rau hauv daim nplaub tshev no. Thaum lub tsev kaw neeg khiav lawm, koj yuav tsum ua tib yam kev tswj hwm hauv nws ib yam li ntawm lub kaw lus tseem ceeb nrog cov neeg siv thiab cov ntaub ntawv /etc/login.conf thiab /etc/mac.conf.
hloov
Ua ntej yuav txhim kho cov cim npe uas tsim nyog, kuv xav kom koj txhim kho tag nrho cov pob khoom tsim nyog. Hauv kuv qhov teeb meem, cov cim npe yuav raug teeb tsa raws li cov pob khoom no:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Hauv qhov piv txwv no, cov ntawv lo yuav raug teeb tsa raws li qhov kev vam khom ntawm cov pob khoom no. Ib txoj hauv kev yooj yim dua yuav yog teeb tsa mls / qis daim ntawv lo rau / usr / local / lib nplaub tshev thiab cov ntaub ntawv hauv daim nplaub tshev ntawd. Cov pob khoom tom qab ntsia (piv txwv li, ntxiv PHP extensions) yuav tuaj yeem nkag mus rau cov tsev qiv ntawv hauv daim nplaub tshev ntawd. Txawm li cas los xij, kuv xav tias nws zoo dua los pub kev nkag mus rau cov ntaub ntawv uas tsim nyog xwb. Nres lub tsev loj cuj thiab teeb tsa mls / siab daim ntawv lo rau txhua cov ntaub ntawv:
setfmac -R mls/high /jail
Thaum teeb tsa cov cim, cov txheej txheem yuav raug tso tseg yog tias setfmac ntsib cov kev sib txuas nyuaj. Hauv kuv qhov piv txwv, kuv tau tshem tawm cov kev sib txuas nyuaj hauv cov npe hauv qab no:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Tom qab cov ntawv lo tau teeb tsa lawm, koj yuav tsum teeb tsa cov ntawv lo mls/low rau Apache. Ua ntej, koj yuav tsum nrhiav seb cov ntaub ntawv twg xav tau los khiav Apache:
ldd /usr/local/sbin/httpd
Tom qab khiav cov lus txib no, cov kev vam khom yuav raug tso tawm ntawm qhov screen, tab sis tsuas yog cim cov ntaub ntawv no yuav tsis txaus, vim tias cov npe uas muaj cov ntaub ntawv no tau cim mls / siab, yog li cov npe no kuj yuav tsum tau cim mls / qis. Apache kuj tseem yuav tso saib cov ntaub ntawv xav tau rau nws qhov kev pib thaum nws pib, thiab rau PHP, cov kev vam khom no tuaj yeem pom hauv httpd-error.log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Daim ntawv teev npe no teeb tsa mls / qis cim rau txhua cov ntaub ntawv uas tsim nyog rau kev ua haujlwm kom raug ntawm Apache thiab PHP pob (rau cov pob khoom uas tau teeb tsa hauv kuv qhov piv txwv).
Kauj ruam kawg yog teeb tsa lub tsev kaw neeg kom khiav ntawm qib mls/sib npaug thiab Apache ntawm qib mls/qis. Yuav pib lub tsev kaw neeg, koj yuav tsum hloov kho cov ntawv sau /etc/rc.d/jail. Nrhiav cov haujlwm jail_start hauv cov ntawv sau no, thiab hloov cov lus txib kom zoo li no:
command="setpmac mls/equal $jail_program"
Cov lus txib setpmac khiav cov executable ntawm qib peev xwm xav tau, hauv qhov no mls / sib npaug, kom ntseeg tau tias nkag mus rau txhua daim ntawv lo. Hauv Apache, koj yuav tsum hloov kho cov ntawv pib /usr/local/etc/rc.d/apache24. Hloov pauv rau apache24_prestart function:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Phau ntawv qhia muab lwm qhov piv txwv, tab sis kuv siv tsis tau vim kuv pheej tau txais cov lus hais txog tsis siv tau cov lus txib setpmac.
xaus
Txoj kev faib tawm no yuav ntxiv qib kev ruaj ntseg ntxiv rau Apache (txawm hais tias txoj kev no yuav ua haujlwm nrog lwm lub pawg), uas, ntxiv rau, khiav hauv tsev loj cuj, thaum tib lub sijhawm, rau tus thawj coj, txhua yam no yuav tshwm sim pob tshab thiab tsis pom.
Cov npe ntawm cov peev txheej uas tau pab kuv sau cov ntawv tshaj tawm no:
Tau qhov twg los: www.hab.com
