Entwodiksyon
Pou bay yon nivo adisyonèl nan sekirite sèvè, ou ka itilize distribisyon aksè. Piblikasyon sa a pral dekri ki jan ou ka kouri apache nan yon prizon ak aksè sèlman nan eleman sa yo ki mande aksè pou apache ak php travay kòrèkteman. Sèvi ak prensip sa a, ou ka limite pa sèlman Apache, men tou, nenpòt lòt pile.
Fòmasyon
Metòd sa a se sèlman apwopriye pou sistèm fichye ufs la; nan egzanp sa a, zfs yo pral itilize nan sistèm prensipal la, ak ufs nan prizon an, respektivman. Premye etap la se rebati nwayo a; lè w ap enstale FreeBSD, enstale kòd sous la.
Apre sistèm lan enstale, edite fichye a:
/usr/src/sys/amd64/conf/GENERIC
Ou bezwen sèlman ajoute yon liy nan dosye sa a:
options MAC_MLS
Etikèt mls/segondè a pral gen yon pozisyon dominan sou etikèt mls/ba, aplikasyon ki pral lanse ak etikèt mls/ba pa p ka jwenn aksè nan dosye ki gen etikèt mls/wo a. Ou ka jwenn plis detay sou tout tags ki disponib nan sistèm FreeBSD nan sa a .
Apre sa, ale nan anyè /usr/src:
cd /usr/src
Pou kòmanse bati nwayo a, kouri (nan kle j la, presize kantite nwayo nan sistèm nan):
make -j 4 buildkernel KERNCONF=GENERIC
Apre yo fin konpile nwayo a, li dwe enstale:
make installkernel KERNCONF=GENERIC
Apre enstale nwayo a, pa prese rdemare sistèm lan, paske li nesesè transfere itilizatè yo nan klas la konekte, li te deja konfigirasyon li. Edit /etc/login.conf fichye a, nan fichye sa a ou bezwen edite klas login defo a, pote l nan fòm lan:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Liy :label=mls/equal pral pèmèt itilizatè ki manm klas sa a jwenn aksè nan dosye ki make ak nenpòt etikèt (mls/low, mls/high). Apre manipilasyon sa yo, ou bezwen rebati baz done a epi mete itilizatè rasin lan (tankou moun ki bezwen li) nan klas login sa a:
cap_mkdb /etc/login.conf
pw usermod root -L default
Pou règleman an aplike sèlman nan dosye, ou bezwen edite fichye a /etc/mac.conf, kite yon sèl liy nan li:
default_labels file ?mls
Ou bezwen tou ajoute modil la mac_mls.ko nan otorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Apre sa, ou ka san danje rdemare sistèm lan. Ki jan yo kreye Ou ka li li nan youn nan piblikasyon mwen yo. Men, anvan ou kreye yon prizon, ou bezwen ajoute yon kondwi difisil epi kreye yon sistèm fichye sou li epi pèmèt multilabel sou li, kreye yon sistèm fichye ufs2 ak yon gwosè gwoup 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Apre ou fin kreye sistèm fichye a epi ajoute multilabel, ou bezwen ajoute kondwi a difisil nan /etc/fstab, ajoute liy lan nan dosye sa a:
/dev/ada1 /jail ufs rw 0 1
Nan Mountpoint, presize anyè a kote ou pral monte kondwi a difisil; nan Pass, asire w ke ou presize 1 (nan ki sekans disk sa a pral tcheke) - sa a nesesè, depi sistèm nan dosye ufs se sansib a koupe kouran toudenkou. . Apre etap sa yo, monte disk la:
mount /dev/ada1 /jail
Enstale prizon nan anyè sa a. Apre prizon an ap kouri, ou bezwen fè menm manipilasyon yo nan li kòm nan sistèm prensipal la ak itilizatè yo ak dosye yo /etc/login.conf, /etc/mac.conf.
ajisteman
Anvan enstale tags ki nesesè yo, mwen rekòmande enstale tout pakè ki nesesè yo; nan ka mwen an, tags yo pral mete an konsiderasyon pakè sa yo:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Nan egzanp sa a, etikèt yo pral mete an konsiderasyon depandans pakè sa yo. Natirèlman, ou ka fè li pi senp: pou katab /usr/local/lib la ak dosye yo ki nan anyè sa a, mete etikèt mls/low yo ak pakè ki vin apre enstale (pa egzanp, ekstansyon adisyonèl pou php) yo pral kapab jwenn aksè. bibliyotèk yo nan anyè sa a, men li sanble pi bon pou mwen bay aksè sèlman nan dosye sa yo ki nesesè. Sispann prizon epi mete etikèt mls/segondè sou tout fichye yo:
setfmac -R mls/high /jail
Lè mete mak, pwosesis la ap sispann si setfmac rankontre lyen difisil, nan egzanp mwen an mwen efase lyen difisil nan anyè sa yo:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Apre yo fin mete etikèt yo, ou bezwen mete etikèt mls/ba pou apache, premye bagay ou bezwen fè se chèche konnen ki fichye yo bezwen pou kòmanse apache:
ldd /usr/local/sbin/httpd
Apre ou fin egzekite kòmandman sa a, depandans yo pral parèt sou ekran an, men mete etikèt ki nesesè yo sou dosye sa yo pa pral ase, paske repèrtwar kote fichye sa yo ye gen etikèt mls/high, kidonk repèrtwar sa yo bezwen tou make. mls/ba. Lè w kòmanse, apache pral tou soti dosye yo ki nesesè yo kouri li, epi pou php depandans sa yo ka jwenn nan httpd-error.log boutèy la.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Lis sa a gen etikèt mls/ba pou tout fichye ki nesesè pou operasyon kòrèk apache ak konbinezon php (pou pakè sa yo ki enstale nan egzanp mwen an).
Touch final la pral konfigirasyon prizon pou kouri nan nivo mls/egal, ak apache nan nivo mls/ba. Pou kòmanse prizon, ou bezwen fè chanjman nan script /etc/rc.d/jail, jwenn fonksyon jail_start nan script sa a, chanje varyab lòd la nan fòm sa a:
command="setpmac mls/equal $jail_program"
Kòmandman setpmac la kouri dosye ègzèkutabl la nan nivo kapasite ki nesesè yo, nan ka sa a mls/egal, yo nan lòd yo gen aksè a tout etikèt. Nan apache ou bezwen edite script demaraj /usr/local/etc/rc.d/apache24. Chanje fonksyon apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Manyèl la gen yon lòt egzanp, men mwen pa t 'kapab sèvi ak li paske mwen te kontinye resevwa yon mesaj sou enkapasite nan sèvi ak lòd la setpmac.
Sòti
Metòd sa a nan distribye aksè pral ajoute yon nivo adisyonèl nan sekirite nan apache (byenke metòd sa a se apwopriye pou nenpòt ki lòt chemine), ki anplis kouri nan yon prizon, an menm tan an, pou administratè a tout bagay sa yo pral rive transparan ak inapèsi.
Lis sous ki te ede m nan ekri piblikasyon sa a:
Sous: www.habr.com