Utangulizi
Ili kutoa kiwango cha ziada cha usalama wa seva, unaweza kutumia usambazaji wa ufikiaji. Chapisho hili litaelezea jinsi unavyoweza kuendesha apache katika jela ukiwa na ufikiaji wa vipengee tu ambavyo vinahitaji ufikiaji wa apache na php kufanya kazi kwa usahihi. Kutumia kanuni hii, unaweza kupunguza sio Apache tu, bali pia stack nyingine yoyote.
Mafunzo ya
Njia hii inafaa tu kwa mfumo wa faili wa ufs; katika mfano huu, zfs zitatumika katika mfumo mkuu, na ufs katika jela, mtawaliwa. Hatua ya kwanza ni kujenga upya kernel; wakati wa kusakinisha FreeBSD, sasisha msimbo wa chanzo.
Baada ya mfumo kusakinishwa, hariri faili:
/usr/src/sys/amd64/conf/GENERIC
Unahitaji tu kuongeza mstari mmoja kwenye faili hii:
options MAC_MLS
Lebo ya mls/high itakuwa na nafasi kubwa juu ya mls/lebo ya chini, programu zitakazozinduliwa zikiwa na lebo ya mls/low hazitaweza kufikia faili zilizo na lebo ya mls/high. Maelezo zaidi kuhusu vitambulisho vyote vinavyopatikana katika mfumo wa FreeBSD yanaweza kupatikana katika hili .
Ifuatayo, nenda kwa /usr/src saraka:
cd /usr/src
Kuanza kujenga kernel, endesha (kwenye kitufe cha j, taja idadi ya cores kwenye mfumo):
make -j 4 buildkernel KERNCONF=GENERIC
Baada ya kernel kukusanywa, lazima iwe imewekwa:
make installkernel KERNCONF=GENERIC
Baada ya kufunga kernel, usikimbilie kuanzisha upya mfumo, kwa kuwa ni muhimu kuhamisha watumiaji kwenye darasa la kuingia, baada ya kuisanidi hapo awali. Hariri /etc/login.conf faili, katika faili hii unahitaji kuhariri darasa chaguo-msingi la kuingia, lilete kwa fomu:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Laini :label=mls/equal itawaruhusu watumiaji ambao ni washiriki wa darasa hili kufikia faili zilizo na lebo yoyote (mls/low, mls/high). Baada ya udanganyifu huu, unahitaji kujenga upya hifadhidata na kuweka mtumiaji wa mizizi (pamoja na wale wanaohitaji) katika darasa hili la kuingia:
cap_mkdb /etc/login.conf
pw usermod root -L default
Ili sera itumike kwa faili pekee, unahitaji kuhariri faili ya /etc/mac.conf, ukiacha mstari mmoja tu ndani yake:
default_labels file ?mls
Unahitaji pia kuongeza moduli ya mac_mls.ko ili kujiendesha:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Baada ya hayo, unaweza kuanzisha upya mfumo kwa usalama. Jinsi ya kuunda Unaweza kuisoma katika mojawapo ya vichapo vyangu. Lakini kabla ya kuunda jela, unahitaji kuongeza gari ngumu na kuunda mfumo wa faili juu yake na kuwezesha multilabel juu yake, unda mfumo wa faili wa ufs2 na ukubwa wa nguzo ya 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Baada ya kuunda mfumo wa faili na kuongeza lebo nyingi, unahitaji kuongeza gari ngumu kwa /etc/fstab, ongeza mstari kwenye faili hii:
/dev/ada1 /jail ufs rw 0 1
Katika Mountpoint, taja saraka ambayo utaweka gari ngumu; katika Pass, hakikisha kutaja 1 (katika mlolongo gani gari hili ngumu litaangaliwa) - hii ni muhimu, kwani mfumo wa faili wa ufs ni nyeti kwa kupunguzwa kwa nguvu ghafla. . Baada ya hatua hizi, weka diski:
mount /dev/ada1 /jail
Sakinisha jela kwenye saraka hii. Baada ya jela kukimbia, unahitaji kufanya udanganyifu sawa ndani yake kama katika mfumo mkuu na watumiaji na faili /etc/login.conf, /etc/mac.conf.
marekebisho
Kabla ya kusanidi vitambulisho muhimu, napendekeza kusanikisha vifurushi vyote muhimu; kwa upande wangu, vitambulisho vitawekwa kwa kuzingatia vifurushi hivi:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Katika mfano huu, lebo zitawekwa kwa kuzingatia utegemezi wa vifurushi hivi. Kwa kweli, unaweza kuifanya rahisi zaidi: kwa folda ya /usr/local/lib na faili ziko kwenye saraka hii, weka lebo za mls/chini na vifurushi vilivyosanikishwa vilivyofuata (kwa mfano, viendelezi vya ziada vya php) vitaweza kufikia. maktaba kwenye saraka hii, lakini inaonekana bora kwangu kutoa ufikiaji tu kwa faili hizo ambazo ni muhimu. Acha jela na uweke lebo za mls/high kwenye faili zote:
setfmac -R mls/high /jail
Wakati wa kuweka alama, mchakato utasimamishwa ikiwa setfmac itakutana na viungo ngumu, kwa mfano wangu nilifuta viungo ngumu kwenye saraka zifuatazo:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Baada ya lebo zimewekwa, unahitaji kuweka lebo za mls/chini kwa apache, jambo la kwanza unahitaji kufanya ni kujua ni faili gani zinahitajika kuanza apache:
ldd /usr/local/sbin/httpd
Baada ya kutekeleza amri hii, tegemezi zitaonyeshwa kwenye skrini, lakini kuweka lebo zinazohitajika kwenye faili hizi hazitatosha, kwani saraka ambazo faili hizi ziko zina lebo ya mls/high, kwa hivyo saraka hizi pia zinahitaji kuwekewa lebo. mls/chini. Wakati wa kuanza, apache pia itatoa faili ambazo ni muhimu kuiendesha, na kwa php utegemezi huu unaweza kupatikana kwenye logi ya httpd-error.log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Orodha hii ina vitambulisho vya mls/low kwa faili zote ambazo ni muhimu kwa utendakazi sahihi wa mchanganyiko wa apache na php (kwa vifurushi hivyo ambavyo vimewekwa kwenye mfano wangu).
Mguso wa mwisho utakuwa kusanidi jela kukimbia katika kiwango cha mls/sawa, na apache katika kiwango cha mls/chini. Ili kuanza jela, unahitaji kufanya mabadiliko kwa hati ya /etc/rc.d/jail, pata kazi za jail_start kwenye hati hii, ubadilishe utofauti wa amri kuwa fomu:
command="setpmac mls/equal $jail_program"
Amri ya setpmac huendesha faili inayoweza kutekelezwa katika kiwango cha uwezo kinachohitajika, katika kesi hii mls/sawa, ili kupata lebo zote. Katika apache unahitaji kuhariri hati ya kuanza /usr/local/etc/rc.d/apache24. Badilisha kazi ya apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π Mwongozo una mfano mwingine, lakini sikuweza kuutumia kwa sababu niliendelea kupata ujumbe juu ya kutoweza kutumia amri ya setpmac.
Pato
Njia hii ya kusambaza ufikiaji itaongeza kiwango cha ziada cha usalama kwa apache (ingawa njia hii inafaa kwa safu nyingine yoyote), ambayo kwa kuongeza inaendesha jela, wakati huo huo, kwa msimamizi yote haya yatatokea kwa uwazi na bila kutambuliwa.
Orodha ya vyanzo vilivyonisaidia kuandika chapisho hili:
Chanzo: mapenzi.com