perkenalan
Pikeun nyadiakeun tingkat tambahan kaamanan server, anjeun tiasa nganggo distribusi aksés. Publikasi ieu bakal ngajelaskeun kumaha anjeun tiasa ngajalankeun Apache di jail kalayan aksés ngan ka komponén anu peryogi aksés pikeun Apache sareng php tiasa dianggo leres. Ngagunakeun prinsip ieu, anjeun bisa ngawatesan teu ukur Apache, tapi ogé sagala tumpukan séjén.
palatihan
Metoda ieu ngan ukur cocog pikeun sistem file ufs; dina conto ieu, zfs bakal dianggo dina sistem utama, sareng ufs di jail, masing-masing. Léngkah munggaran nyaéta ngawangun deui kernel; nalika masang FreeBSD, pasang kodeu sumber.
Saatos sistem dipasang, édit file:
/usr/src/sys/amd64/conf/GENERIC
Anjeun ngan ukur kedah nambihan hiji baris kana file ieu:
options MAC_MLS
The mls / labél luhur bakal boga posisi dominan leuwih mls / labél low, aplikasi nu bakal dibuka kalawan mls / labél low moal bisa ngakses file nu boga mls / labél tinggi. Rincian langkung seueur ngeunaan sadaya tag anu sayogi dina sistem FreeBSD tiasa dipendakan dina ieu .
Salajengna, buka diréktori / usr / src:
cd /usr/src
Pikeun ngamimitian ngawangun kernel, jalankeun (dina konci j, tangtukeun jumlah inti dina sistem):
make -j 4 buildkernel KERNCONF=GENERIC
Saatos kernel parantos disusun, éta kedah dipasang:
make installkernel KERNCONF=GENERIC
Saatos masang kernel, ulah buru-buru reboot sistem, sabab perlu pikeun mindahkeun pangguna ka kelas login, saatos ngonpigurasikeunana. Édit file /etc/login.conf, dina file ieu anjeun kedah ngédit kelas login standar, bawa ka formulir:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Garis: label = mls / sarua bakal ngidinan pamaké anu anggota kelas ieu ngakses file nu ditandaan ku sagala labél (mls / low, mls / tinggi). Saatos manipulasi ieu, anjeun kedah ngawangun deui pangkalan data sareng nempatkeun pangguna akar (sareng anu peryogina) dina kelas login ieu:
cap_mkdb /etc/login.conf
pw usermod root -L default
Supados kabijakan éta ngan dilarapkeun ka file, anjeun kedah ngédit file /etc/mac.conf, ngan nyésakeun hiji baris:
default_labels file ?mls
Anjeun ogé kedah nambihan modul mac_mls.ko ka autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Saatos ieu, anjeun tiasa aman reboot sistem. Kumaha carana nyieun Anjeun tiasa maca éta dina salah sahiji publikasi kuring. Tapi sateuacan ngadamel panjara, anjeun kedah nambihan hard drive sareng nyiptakeun sistem file dina éta sareng aktipkeun multilabel di dinya, jieun sistem file ufs2 kalayan ukuran klaster 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Saatos nyiptakeun sistem file sareng nambihan multilabel, anjeun kedah nambihan hard drive kana /etc/fstab, tambahkeun garis kana file ieu:
/dev/ada1 /jail ufs rw 0 1
Dina Mountpoint, tangtukeun diréktori dimana anjeun bakal masang hard drive; dina Pass, pastikeun pikeun nangtukeun 1 (dina urutan naon hard drive ieu bakal dipariksa) - ieu téh perlu, sabab sistem file ufs sénsitip kana pamotongan kakuatan dadakan. . Saatos léngkah ieu, pasang disk:
mount /dev/ada1 /jail
Pasang jail dina diréktori ieu. Saatos panjara dijalankeun, anjeun kedah ngalakukeun manipulasi anu sami sareng dina sistem utama sareng pangguna sareng file /etc/login.conf, /etc/mac.conf.
carana ngatur
Sateuacan masang tag anu diperyogikeun, kuring nyarankeun masang sadaya pakét anu diperyogikeun; dina hal kuring, tag bakal disetél kalayan ngitung bungkusan ieu:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Dina conto ieu, labél bakal disetel kalayan merhatikeun katergantungan bungkusan ieu. Tangtosna, anjeun tiasa langkung saderhana: pikeun folder /usr/local/lib sareng file anu aya dina diréktori ieu, setel label mls/low sareng bungkusan anu dipasang salajengna (contona, ekstensi tambahan pikeun php) bakal tiasa ngaksés. perpustakaan di diréktori ieu, tapi sigana mah leuwih hade nyadiakeun aksés ngan ka maranéhanana payil nu diperlukeun. Eureun panjara sareng setel mls / labél luhur dina sadaya file:
setfmac -R mls/high /jail
Nalika netepkeun tanda, prosésna bakal dieureunkeun upami setfmac mendakan tautan keras, dina conto kuring kuring ngahapus tautan keras dina diréktori ieu:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Saatos labél parantos disetél, anjeun kedah nyetél labél mls / low pikeun Apache, hal kahiji anu anjeun kedah laksanakeun nyaéta milarian file naon anu diperyogikeun pikeun ngamimitian Apache:
ldd /usr/local/sbin/httpd
Saatos ngaéksekusi paréntah ieu, dependensi bakal dipintonkeun dina layar, tapi netepkeun labél anu diperyogikeun dina file ieu moal cekap, sabab diréktori dimana file ieu aya gaduh label mls / luhur, janten diréktori ieu ogé kedah dilabélan. mls / low. Nalika dimimitian, Apache ogé bakal kaluaran file anu diperlukeun pikeun ngajalankeun eta, sarta pikeun php kagumantungan ieu bisa kapanggih dina httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Daptar ieu ngandung mls / tag low pikeun sakabéh file anu dipikabutuh pikeun operasi bener tina Apache na php kombinasi (pikeun maranéhanana bungkusan nu dipasang dina conto kuring).
Touch final bakal ngonpigurasikeun jail pikeun ngajalankeun di mls / tingkat sarua, sarta Apache di mls / tingkat low. Pikeun ngamimitian jail, anjeun kedah ngarobih skrip /etc/rc.d/jail, panggihan fungsi jail_start dina naskah ieu, robih variabel paréntah kana bentuk:
command="setpmac mls/equal $jail_program"
Paréntah setpmac ngajalankeun file anu tiasa dieksekusi dina tingkat kamampuan anu diperyogikeun, dina hal ieu mls/sarua, supados gaduh aksés ka sadaya labél. Dina Apache anjeun kedah ngédit skrip ngamimitian /usr/local/etc/rc.d/apache24. Robah fungsi apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Manual ngandung conto sejen, tapi kuring teu bisa make eta sabab kuring terus meunang pesen ngeunaan henteu mampuh ngagunakeun paréntah setpmac.
kacindekan
Metoda ieu ngadistribusikaeun aksés bakal nambahan hiji tingkat tambahan kaamanan pikeun Apache (sanajan metoda ieu cocog pikeun sagala tumpukan séjén), nu salian dijalankeun dina jail a, dina waktos anu sareng, pikeun administrator sadayana ieu bakal kajadian transparan sarta unnoticeably.
Daptar sumber anu ngabantosan abdi dina nyerat ieu publikasi:
sumber: www.habr.com