Pambuka
Kanggo nyedhiyakake tingkat keamanan server tambahan, sampeyan bisa nggunakake distribusi akses. Publikasi iki bakal njlèntrèhaké carane sampeyan bisa mbukak apache ing kunjara kanthi akses mung menyang komponen sing mbutuhake akses kanggo apache lan php bisa mlaku kanthi bener. Nggunakake prinsip iki, sampeyan bisa mbatesi ora mung Apache, nanging uga tumpukan liyane.
Latihan
Cara iki mung cocok kanggo sistem file ufs; ing conto iki, zfs bakal digunakake ing sistem utama, lan ufs ing kunjara. Langkah pisanan yaiku mbangun maneh kernel; nalika nginstal FreeBSD, instal kode sumber.
Sawise sistem diinstal, sunting file:
/usr/src/sys/amd64/conf/GENERIC
Sampeyan mung kudu nambah siji baris menyang berkas iki:
options MAC_MLS
Label mls / dhuwur bakal duwe posisi sing dominan ing label mls / low, aplikasi sing bakal diluncurake kanthi label mls / low ora bakal bisa ngakses file sing duwe label mls / dhuwur. Rincian liyane babagan kabeh tag sing kasedhiya ing sistem FreeBSD bisa ditemokake ing iki .
Sabanjure, pindhah menyang direktori / usr / src:
cd /usr/src
Kanggo miwiti mbangun kernel, mbukak (ing tombol j, nemtokake jumlah inti ing sistem):
make -j 4 buildkernel KERNCONF=GENERIC
Sawise kernel wis dikompilasi, kudu diinstal:
make installkernel KERNCONF=GENERIC
Sawise nginstal kernel, aja cepet-cepet urip maneh sistem, amarga sampeyan kudu nransfer pangguna menyang kelas login, sing wis dikonfigurasi sadurunge. Sunting file /etc/login.conf, ing berkas iki sampeyan kudu ngowahi kelas mlebu standar, nggawa menyang formulir:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Baris :label=mls/equal bakal ngidini pangguna sing dadi anggota kelas iki ngakses file sing ditandhani karo label apa wae (mls/low, mls/high). Sawise manipulasi kasebut, sampeyan kudu mbangun maneh database lan nyelehake pangguna root (uga sing mbutuhake) ing kelas login iki:
cap_mkdb /etc/login.conf
pw usermod root -L default
Supaya kabijakan mung ditrapake kanggo file, sampeyan kudu ngowahi file /etc/mac.conf, mung ninggalake siji baris:
default_labels file ?mls
Sampeyan uga kudu nambah modul mac_mls.ko kanggo autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Sawise iki, sampeyan bisa kanthi aman urip maneh sistem. Carane nggawe Sampeyan bisa maca ing salah sawijining publikasiku. Nanging sadurunge nggawe kunjara, sampeyan kudu nambah hard drive lan nggawe sistem file lan ngaktifake multilabel, nggawe sistem file ufs2 kanthi ukuran kluster 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Sawise nggawe sistem file lan nambah multilabel, sampeyan kudu nambah hard drive menyang / etc / fstab, nambah baris kanggo file iki:
/dev/ada1 /jail ufs rw 0 1
Ing Mountpoint, nemtokake direktori sing bakal dipasang ing hard drive; ing Pass, manawa kanggo nemtokake 1 (ing urutan apa hardisk iki bakal dicenthang) - iki perlu, amarga sistem file ufs sensitif marang pemotongan daya dadakan. . Sawise langkah iki, pasang disk:
mount /dev/ada1 /jail
Instal kunjara ing direktori iki. Sawise kunjara mlaku, sampeyan kudu nindakake manipulasi sing padha kaya ing sistem utama karo pangguna lan file /etc/login.conf, /etc/mac.conf.
imbuhan
Sadurunge nginstal tag sing dibutuhake, aku nyaranake nginstal kabeh paket sing dibutuhake; ing kasusku, tag kasebut bakal disetel kanthi njupuk paket kasebut:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Ing conto iki, label bakal disetel kanthi nimbang dependensi paket kasebut. Mesthi wae, sampeyan bisa nindakake luwih gampang: kanggo folder /usr/local/lib lan file sing ana ing direktori iki, atur label mls/low lan paket sing diinstal sakteruse (contone, ekstensi tambahan kanggo php) bakal bisa ngakses. perpustakaan ing direktori iki, nanging misale jek luwih apik kanggo kula nyedhiyani akses mung kanggo sing file sing perlu. Mungkasi kunjara lan nyetel mls / label dhuwur ing kabeh file:
setfmac -R mls/high /jail
Nalika nyetel tandha, proses kasebut bakal mandheg yen setfmac nemoni tautan keras, ing contoku, aku mbusak tautan hard ing direktori ing ngisor iki:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Sawise label wis disetel, sampeyan kudu nyetel label mls / low kanggo apache, sing pertama sampeyan kudu ngerteni file apa sing dibutuhake kanggo miwiti apache:
ldd /usr/local/sbin/httpd
Sawise nglakokake prentah iki, dependensi bakal ditampilake ing layar, nanging nyetel label sing dibutuhake ing file kasebut ora cukup, amarga direktori sing ana file kasebut duwe label mls / dhuwur, mula direktori kasebut uga kudu diwenehi label. mls / kurang. Nalika miwiti, apache uga bakal ngasilake file sing dibutuhake kanggo mbukak, lan kanggo php dependensi kasebut bisa ditemokake ing log httpd-error.log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Dhaptar iki ngemot tag mls / low kanggo kabeh file sing perlu kanggo operasi sing bener saka kombinasi apache lan php (kanggo paket sing diinstal ing contoku).
Sentuhan pungkasan yaiku ngatur kunjara supaya bisa mlaku ing level mls / padha, lan apache ing level mls / kurang. Kanggo miwiti kunjara, sampeyan kudu nggawe owah-owahan ing /etc/rc.d/jail script, golek fungsi jail_start ing script iki, ngganti variabel printah kanggo wangun:
command="setpmac mls/equal $jail_program"
Printah setpmac mbukak file eksekusi ing tingkat kapabilitas sing dibutuhake, ing kasus iki mls/equal, supaya bisa ngakses kabeh label. Ing apache sampeyan kudu ngowahi skrip wiwitan /usr/local/etc/rc.d/apache24. Ngganti fungsi apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Manual ngemot conto liyane, nanging aku ora bisa nggunakake amarga aku terus nampa pesen babagan ora bisa nggunakake printah setpmac.
kesimpulan
Cara nyebarake akses iki bakal nambah tingkat keamanan tambahan kanggo apache (sanajan cara iki cocok kanggo tumpukan liyane), sing saliyane mlaku ing kunjara, ing wektu sing padha, kanggo administrator kabeh iki bakal kedadeyan kanthi transparan lan ora dingerteni.
Dhaptar sumber sing mbantu aku nulis publikasi iki:
Source: www.habr.com