introduction
Providere addito gradu servo securitatem, uti potes accessum distributio. Haec publicatio describet quomodo apache in carcerem currere potes cum accessu solum ad illa membra quae accessum ad apache et php ad recte operandum requirunt. Hoc principio utens, non solum Apache, sed etiam quemvis alium acervum circumscribere potes.
Training
Haec methodus ufs rationi fasciculi tantum aptus est, hoc exemplo, zfs in systemate principali adhibebitur, et ufs in carcere, respective. Primus gradus est nucleum reficere, cum FreeBSD inaugurari, fontem codicis instituere.
Post systema inauguratum est, tabellam edit:
/usr/src/sys/amd64/conf/GENERIC
Tantum opus est ut unam lineam huic fasciculo addas:
options MAC_MLS
In mls/altus titulus dominans locum super mls/low label habebit, applicationes quae cum mls/low label deductae erunt, accessum imaginum quae pittacium maximum habentibus non poterunt. Plura de omnibus in promptu tags in systemate FreeBSD inveniri possunt in hoc .
Deinde ad directorium /usr/src:
cd /usr/src
Ad aedificationem nuclei incipere, currere (per j clavem, numerum nucleorum in systematis denota);
make -j 4 buildkernel KERNCONF=GENERIC
nucleo confecto institui debet;
make installkernel KERNCONF=GENERIC
Post nucleum insertis, ratiocinationem reboi non ruunt, cum necesse sit utentes ad genus login transferre, cum prius illud configuratum sit. /etc/login.conf fasciculum edite, in hoc fasciculo debes recensere genus login default, affer formam:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Linea : pittacium = mls/aequale permittet utentes qui huius ordinis membra sunt ad accessum imaginum quae cum quolibet pittacio (mls/low, mls/altis) notantur. Post has manipulationes, debes datorum reficere ac radicem usoris (itemque iis qui ea indigent) in hoc genere login pone:
cap_mkdb /etc/login.conf
pw usermod root -L default
Ut ad consilium ad fasciculos tantum applicandum, lima /etc/mac.conf recensere debes, unam tantum lineam in ea relinquens;
default_labels file ?mls
Etiam debes mac_mls.ko moduli autorun addere:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Postea tuto reboo rationem. Quam creare Legere potes in uno e meis libris editis. Sed antequam carcerem creando, opus durum coegi addere et systema fasciculi in eo creare et multilabel in ea facere, crea systema fasciculi ufs2 cum botri magnitudine 64kb;
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Cum systema fasciculi creavisti et multilabel addendo, debes mittere coegi durum ad /etc/fstab addere, lineam huic fasciculo addere:
/dev/ada1 /jail ufs rw 0 1
In Mountpoint, denota directorium in quo duras minas conscenderis, in Pass, fac 1 (quo ordine haec ferreus coegi premendus) β hoc necessarium est, quoniam ufs ratio lima sensitiva ad subitam potentiam secet. . Post hos gradus conscende orbem;
mount /dev/ada1 /jail
Instrue vincula in hoc presul. Post carcerem currit, necesse est easdem machinationes in eo facere ac in systemate principali cum usoribus et scriniis /etc/login.conf, /etc/mac.conf.
tionibus
Priusquam inaugurarias necessarias, commendo omnes sarcinas necessarias inaugurari, si in casu schedae his fasciculis inspecta erunt:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
In hoc exemplo pittaciorum habita ratione dependentiarum harum fasciculorum. Utique simplicius hoc facere potes: nam folder /usr/local/lib et tabulae in hoc indice positae, mls/low pittacia pone et fasciculos inaugurati subsequentes (exempli gratia, extensiones additional pro php) accedere poterunt bibliothecae in hoc presul, sed melius mihi videtur accessum praebere solum iis quae necessaria sunt. Desine vincula et mls pone / pittacia alta in omnibus files:
setfmac -R mls/high /jail
Cum notis occasus, processus claudetur si setfmac incurrit nexus duros, in exemplo meo nexus duros delevit in sequentibus directoriis:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Cum pittacia posita sunt, mis/low labels pro apache debes ponere, primum rem facere debes invenire quid lima opus sit ut Apache incipias:
ldd /usr/local/sbin/httpd
Post hoc mandatum exsequendo clientelae in screen ostendentur, sed labella necessaria in his fasciculis non satis erunt, cum directoria in quibus haec fasciculi sita sunt, mis/altum titulum habent, ideo etiam haec directoria intitulatum necesse est. mis/low. Cum incipiens, Apache etiam tabulas quae ad currendum necessariae sunt outputabit, et pro php hae dependentiae in httpd-error.log log inveniri possunt.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Hoc album continet mis/low tags pro omnibus fasciculis quae ad rectam operationem apache et php compositionis necessariae sunt (pro iis fasciculis qui in meo exemplo sunt installati).
Ultimus tactus erit carcerem configurare in gradu mis/aequali, et apache in gradu mis/ima. Ut carcerem incipias, debes mutare scriptorum /etc/rc.d/jailum reddere, munera in hoc scripto invenire jail_primum, imperium variabile ad formam mutandum:
command="setpmac mls/equal $jail_program"
Mandatum setpmac lima exsecutabile decurrit ad gradum facultatis requisitae, hoc casu mis/aequale, ut aditus ad omnes pittacia accedat. In Apache debes recensere initium script /usr/local/etc/rc.d/apache24. Mutare munus apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π Alterum exemplum manuale continet, sed eo uti non potui quod nuntium de inhabilitatione setpmac mandato utendi servavi.
conclusio,
Haec methodus distribuendi accessum addito gradu securitatis apache (quamvis haec methodus cuilibet alio acervo conveniat), quae praeterea in carcerem simul incurrit, administratori omnia haec perspicue et incognite evenient.
Index fontium qui me adiuverunt in hac publicatione scribendo:
Source: www.habr.com