Taw qhia
Txhawm rau muab qib ntxiv ntawm kev ruaj ntseg server, koj tuaj yeem siv nkag mus faib. Cov ntawv tshaj tawm no yuav piav qhia txog yuav ua li cas koj tuaj yeem khiav apache hauv tsev kaw neeg nrog kev nkag mus rau cov khoom siv uas xav tau kev nkag mus rau apache thiab php kom ua haujlwm raug. Siv txoj cai no, koj tuaj yeem txwv tsis yog Apache nkaus xwb, tab sis kuj muaj lwm pawg.
Kev cob qhia
Txoj kev no tsuas yog tsim nyog rau ufs cov ntaub ntawv kaw lus; hauv qhov piv txwv no, zfs yuav siv rau hauv qhov system tseem ceeb, thiab ufs hauv tsev kaw neeg, feem. Thawj kauj ruam yog los tsim kho lub ntsiav; thaum txhim kho FreeBSD, nruab qhov chaws.
Tom qab lub kaw lus raug ntsia, kho cov ntaub ntawv:
/usr/src/sys/amd64/conf/GENERIC
Koj tsuas yog yuav tsum tau ntxiv ib kab rau cov ntaub ntawv no:
options MAC_MLS
Lub mls / siab daim ntawv lo yuav muaj txoj haujlwm tseem ceeb tshaj li mls / ntawv qis, cov ntawv thov uas yuav raug tsim tawm nrog mls / ntawv qis yuav tsis tuaj yeem nkag mus rau cov ntaub ntawv uas muaj mls / siab daim ntawv lo. Cov ntsiab lus ntxiv txog tag nrho cov cim muaj nyob hauv FreeBSD system tuaj yeem pom hauv qhov no .
Tom ntej no, mus rau /usr/src directory:
cd /usr/src
Txhawm rau pib tsim cov kernel, khiav (hauv j qhov tseem ceeb, qhia cov naj npawb ntawm cov cores hauv qhov system):
make -j 4 buildkernel KERNCONF=GENERIC
Tom qab lub kernel tau muab tso ua ke, nws yuav tsum tau ntsia:
make installkernel KERNCONF=GENERIC
Tom qab kev txhim kho lub ntsiav, tsis txhob maj mus rau reboot lub system, vim hais tias nws yog tsim nyog los hloov cov neeg siv mus rau lub ID nkag mus chav kawm ntawv, muaj yav tas los configured nws. Kho kom raug cov ntaub ntawv /etc/login.conf, nyob rau hauv cov ntaub ntawv no koj yuav tsum tau hloov lub neej ntawd login chav kawm, coj nws mus rau hauv daim ntawv:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Cov kab :label = mls / sib npaug yuav tso cai rau cov neeg siv uas yog cov tswv cuab ntawm chav kawm no nkag mus rau cov ntaub ntawv uas tau cim nrog ib daim ntawv lo (mls / qis, mls / siab). Tom qab cov kev hloov pauv no, koj yuav tsum rov tsim kho cov ntaub ntawv thiab tso tus neeg siv hauv paus (nrog rau cov neeg xav tau) hauv chav nkag nkag no:
cap_mkdb /etc/login.conf
pw usermod root -L default
Txhawm rau kom txoj cai siv rau cov ntaub ntawv nkaus xwb, koj yuav tsum hloov kho cov ntaub ntawv /etc/mac.conf, tawm hauv ib kab nkaus xwb:
default_labels file ?mls
Koj kuj yuav tsum tau ntxiv mac_mls.ko module rau autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Tom qab ntawd, koj tuaj yeem rov pib dua lub system zoo. Yuav tsim li cas Koj tuaj yeem nyeem nws hauv ib qho ntawm kuv cov ntawv tshaj tawm. Tab sis ua ntej tsim lub tsev kaw neeg, koj yuav tsum tau ntxiv lub hard drive thiab tsim cov ntaub ntawv kaw lus ntawm nws thiab ua kom muaj ntau lub npe ntawm nws, tsim cov ntaub ntawv ufs2 nrog pawg loj ntawm 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Tom qab tsim cov ntaub ntawv kaw lus thiab ntxiv multilabel, koj yuav tsum ntxiv lub hard drive rau /etc/fstab, ntxiv cov kab rau cov ntaub ntawv no:
/dev/ada1 /jail ufs rw 0 1
Nyob rau hauv Mountpoint, qhia cov npe uas koj yuav mount lub hard drive; hauv Pass, nco ntsoov qhia 1 (nyob rau hauv dab tsi ua ntu zus no hard drive yuav raug kuaj) - qhov no yog qhov tsim nyog, txij li cov ntaub ntawv ufs yog rhiab rau kev txiav hluav taws xob tam sim ntawd. . Tom qab cov kauj ruam no, mount lub disk:
mount /dev/ada1 /jail
Nruab kaw kaw rau hauv phau ntawv no. Tom qab lub tsev kaw neeg khiav, koj yuav tsum ua tib yam kev tswj hwm hauv nws ib yam li hauv lub ntsiab lus nrog cov neeg siv thiab cov ntaub ntawv /etc/login.conf, /etc/mac.conf.
hloov
Ua ntej txhim kho cov cim npe tsim nyog, kuv pom zoo kom txhim kho tag nrho cov pob tsim nyog; hauv kuv qhov teeb meem, cov cim npe yuav raug teeb tsa rau hauv tus account cov pob no:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Hauv qhov piv txwv no, cov ntawv sau yuav raug teeb tsa suav nrog qhov kev cia siab ntawm cov pob no. Tau kawg, koj tuaj yeem ua nws yooj yim dua: rau /usr/local/lib nplaub tshev thiab cov ntaub ntawv nyob hauv phau ntawv teev npe no, teeb tsa cov mls / cov ntawv qis thiab cov khoom siv txuas ntxiv (piv txwv li, txuas ntxiv rau php) yuav tuaj yeem nkag mus. cov tsev qiv ntawv hauv phau ntawv qhia no, tab sis nws zoo li kuv muab kev nkag mus rau cov ntaub ntawv uas tsim nyog nkaus xwb. Nres kaw kaw thiab teeb mls / siab daim ntawv lo rau tag nrho cov ntaub ntawv:
setfmac -R mls/high /jail
Thaum teeb tsa cov cim, cov txheej txheem yuav raug tso tseg yog tias setfmac ntsib cov kev sib txuas nyuaj, hauv kuv qhov piv txwv kuv tshem tawm cov txuas nyuaj hauv cov npe hauv qab no:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Tom qab cov ntawv tau teeb tsa, koj yuav tsum teeb tsa cov ntawv mls / qis rau apache, thawj qhov koj yuav tsum tau ua yog nrhiav seb cov ntaub ntawv dab tsi xav tau los pib apache:
ldd /usr/local/sbin/httpd
Tom qab ua tiav cov lus txib no, kev vam khom yuav tshwm sim ntawm qhov screen, tab sis teeb tsa cov ntawv tsim nyog ntawm cov ntaub ntawv no yuav tsis txaus, vim tias cov npe hauv cov ntaub ntawv no muaj cov mls / siab daim ntawv lo, yog li cov npe no kuj yuav tsum tau sau npe. mls / qis. Thaum pib, apache tseem yuav tso tawm cov ntaub ntawv uas tsim nyog los khiav nws, thiab rau php cov kev vam meej tuaj yeem pom hauv httpd-error.log cav.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Daim ntawv teev npe no muaj cov npe mls / qis rau txhua cov ntaub ntawv uas tsim nyog rau kev ua haujlwm raug ntawm apache thiab php ua ke (rau cov pob khoom uas tau teeb tsa hauv kuv qhov piv txwv).
Qhov kawg kov yuav yog teeb tsa tsev kaw neeg kom khiav ntawm mls / qib sib npaug, thiab apache ntawm mls / qib qis. Txhawm rau pib kaw hauv tsev kaw neeg, koj yuav tsum hloov pauv rau /etc/rc.d/jail tsab ntawv, nrhiav cov haujlwm jail_start hauv tsab ntawv no, hloov cov lus txib hloov mus rau daim ntawv:
command="setpmac mls/equal $jail_program"
Cov lus txib setpmac khiav cov ntaub ntawv executable ntawm qhov yuav tsum tau muaj peev xwm, nyob rau hauv cov ntaub ntawv no mls / sib npaug, thiaj li yuav muaj kev nkag tau mus rau tag nrho cov ntawv. Hauv apache koj yuav tsum hloov kho cov ntawv pib /usr/local/etc/rc.d/apache24. Hloov lub apache24_prestart muaj nuj nqi:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π Phau ntawv muaj lwm qhov piv txwv, tab sis kuv tsis tuaj yeem siv nws vim kuv tau txais cov lus hais txog qhov tsis muaj peev xwm siv cov lus txib setpmac.
xaus
Txoj kev faib nkag no yuav ntxiv ib qho kev ruaj ntseg ntxiv rau apache (txawm tias txoj kev no haum rau lwm pawg), uas ntxiv rau hauv tsev kaw neeg, tib lub sijhawm, rau cov thawj coj txhua qhov no yuav tshwm sim pob tshab thiab tsis pom tseeb.
Cov npe ntawm cov peev txheej uas tau pab kuv sau cov ntawv tshaj tawm no:
Tau qhov twg los: www.hab.com