Ifihan
Lati pese ipele afikun ti aabo olupin, o le lo wiwọle pinpin. Atẹjade yii yoo ṣe apejuwe bi o ṣe le ṣiṣe apache ni ẹwọn pẹlu iraye si awọn paati wọnyẹn nikan ti o nilo iraye si fun apache ati php lati ṣiṣẹ ni deede. Lilo ilana yii, o le ṣe idinwo kii ṣe Apache nikan, ṣugbọn tun eyikeyi akopọ miiran.
Igbaradi
Ọna yii dara nikan fun eto faili ufs; ni apẹẹrẹ yii, awọn zfs yoo ṣee lo ninu eto akọkọ, ati ufs ninu tubu, lẹsẹsẹ. Igbesẹ akọkọ ni lati tun ekuro; nigba fifi FreeBSD sori ẹrọ, fi koodu orisun sii.
Lẹhin ti fi sori ẹrọ eto, satunkọ faili naa:
/usr/src/sys/amd64/conf/GENERIC
O nilo lati fi laini kan kun si faili yii:
options MAC_MLS
Aami milimita / aami giga yoo ni ipo ti o ga julọ lori awọn mls / aami kekere, awọn ohun elo ti yoo ṣe ifilọlẹ pẹlu aami milimita / aami kekere kii yoo ni anfani lati wọle si awọn faili ti o ni awọn mls / aami giga. Awọn alaye diẹ sii nipa gbogbo awọn afi ti o wa ninu eto FreeBSD ni a le rii ninu eyi .
Nigbamii, lọ si itọsọna / usr/src:
cd /usr/src
Lati bẹrẹ kikọ ekuro, ṣiṣe (ninu bọtini j, pato nọmba awọn ohun kohun ninu eto):
make -j 4 buildkernel KERNCONF=GENERIC
Lẹhin ti o ti ṣajọ ekuro, o gbọdọ fi sii:
make installkernel KERNCONF=GENERIC
Lẹhin fifi ekuro sii, maṣe yara lati tun atunbere eto naa, nitori o jẹ dandan lati gbe awọn olumulo lọ si kilasi iwọle, ti tunto tẹlẹ. Ṣatunkọ faili /etc/login.conf, ninu faili yii o nilo lati ṣatunkọ kilasi iwọle aiyipada, mu wa si fọọmu naa:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Laini :label=mls/dogba yoo gba awọn olumulo laaye ti o jẹ ọmọ ẹgbẹ ti kilasi yii lati wọle si awọn faili ti o samisi pẹlu aami eyikeyi (mls/low, mls/high). Lẹhin awọn ifọwọyi wọnyi, o nilo lati tun data data ṣe ki o gbe olumulo root (bii awọn ti o nilo rẹ) ni kilasi iwọle yii:
cap_mkdb /etc/login.conf
pw usermod root -L default
Ni ibere fun eto imulo lati kan si awọn faili nikan, o nilo lati ṣatunkọ faili /etc/mac.conf, nlọ laini kan nikan ninu rẹ:
default_labels file ?mls
O tun nilo lati ṣafikun module mac_mls.ko si autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Lẹhin eyi, o le tun atunbere eto naa lailewu. Bawo ni lati ṣẹda O le ka ninu ọkan ninu awọn atẹjade mi. Ṣugbọn ṣaaju ṣiṣẹda ẹwọn, o nilo lati ṣafikun dirafu lile kan ki o ṣẹda eto faili kan lori rẹ ki o mu multilabel ṣiṣẹ lori rẹ, ṣẹda eto faili ufs2 pẹlu iwọn iṣupọ ti 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Lẹhin ṣiṣẹda eto faili ati fifi aami-pupọ kun, o nilo lati ṣafikun dirafu lile si /etc/fstab, ṣafikun laini si faili yii:
/dev/ada1 /jail ufs rw 0 1
Ni Mountpoint, pato itọsọna ninu eyiti iwọ yoo gbe dirafu lile; ni Pass, rii daju pe o pato 1 (ninu ọna wo ni yoo ṣayẹwo dirafu lile yii) - eyi jẹ pataki, nitori eto faili ufs jẹ ifarabalẹ si awọn gige agbara lojiji . Lẹhin awọn igbesẹ wọnyi, gbe disk naa:
mount /dev/ada1 /jail
Fi ẹwọn sori ẹrọ ni itọsọna yii. Lẹhin ti ẹwọn ti nṣiṣẹ, o nilo lati ṣe awọn ifọwọyi kanna ninu rẹ bi ninu eto akọkọ pẹlu awọn olumulo ati awọn faili /etc/login.conf, /etc/mac.conf.
Ṣe akanṣe
Ṣaaju fifi awọn aami pataki sii, Mo ṣeduro fifi sori gbogbo awọn idii pataki; ninu ọran mi, awọn afi yoo ṣeto ni akiyesi awọn idii wọnyi:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Ni apẹẹrẹ yii, awọn aami yoo ṣeto ni akiyesi awọn igbẹkẹle ti awọn idii wọnyi. Nitoribẹẹ, o le ṣe ni irọrun: fun / usr / agbegbe / lib folda ati awọn faili ti o wa ninu itọsọna yii, ṣeto awọn milimita / awọn aami kekere ati awọn idii ti a fi sori ẹrọ ti o tẹle (fun apẹẹrẹ, awọn afikun afikun fun php) yoo ni anfani lati wọle si awọn ile-ikawe ni itọsọna yii, ṣugbọn o dabi pe o dara julọ fun mi lati pese iraye si awọn faili wọnyẹn ti o jẹ dandan. Duro ẹwọn duro ki o ṣeto awọn mls/awọn aami giga lori gbogbo awọn faili:
setfmac -R mls/high /jail
Nigbati o ba ṣeto awọn aami, ilana naa yoo duro ti setfmac ba pade awọn ọna asopọ lile, ninu apẹẹrẹ mi Mo paarẹ awọn ọna asopọ lile ni awọn ilana atẹle wọnyi:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Lẹhin ti a ti ṣeto awọn aami, o nilo lati ṣeto awọn aami mls/kekere fun apache, ohun akọkọ ti o nilo lati ṣe ni wa iru awọn faili ti o nilo lati bẹrẹ apache:
ldd /usr/local/sbin/httpd
Lẹhin ṣiṣe pipaṣẹ yii, awọn igbẹkẹle yoo han loju iboju, ṣugbọn ṣeto awọn aami pataki lori awọn faili wọnyi kii yoo to, nitori awọn ilana ti o wa ninu eyiti awọn faili wọnyi wa ni mls / aami giga, nitorinaa awọn ilana wọnyi tun nilo lati wa ni aami. milimita / kekere. Nigbati o ba bẹrẹ, apache yoo tun gbejade awọn faili ti o ṣe pataki lati ṣiṣẹ, ati fun php awọn igbẹkẹle wọnyi ni a le rii ninu log httpd-error.log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Atokọ yii ni awọn milimita / awọn aami kekere fun gbogbo awọn faili ti o ṣe pataki fun iṣẹ deede ti apache ati apapọ php (fun awọn idii wọnyẹn ti o fi sii ni apẹẹrẹ mi).
Ifọwọkan ikẹhin yoo jẹ lati tunto tubu lati ṣiṣẹ ni awọn milimita / ipele dogba, ati apache ni awọn mls / ipele kekere. Lati bẹrẹ ẹwọn, o nilo lati ṣe awọn ayipada si iwe afọwọkọ /etc/rc.d/jail, wa awọn iṣẹ jail_start ninu iwe afọwọkọ yii, yi iyipada aṣẹ pada si fọọmu naa:
command="setpmac mls/equal $jail_program"
Aṣẹ setpmac nṣiṣẹ faili ti o le ṣiṣẹ ni ipele agbara ti o nilo, ninu ọran yii mls/dogba, lati le ni iwọle si gbogbo awọn aami. Ni apache o nilo lati ṣatunkọ iwe afọwọkọ ibẹrẹ /usr/local/etc/rc.d/apache24. Yi apache24_prestart iṣẹ pada:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Iwe afọwọkọ naa ni apẹẹrẹ miiran, ṣugbọn emi ko le lo nitori pe MO tọju gbigba ifiranṣẹ kan nipa ailagbara lati lo pipaṣẹ setpmac.
ipari
Ọna yii ti pinpin iwọle yoo ṣafikun ipele aabo afikun si apache (botilẹjẹpe ọna yii dara fun eyikeyi akopọ miiran), eyiti o ni afikun ṣiṣẹ ni tubu, ni akoko kanna, fun oluṣakoso gbogbo eyi yoo ṣẹlẹ ni gbangba ati lainidii.
Akojọ awọn orisun ti o ṣe iranlọwọ fun mi ni kikọ atẹjade yii:
orisun: www.habr.com