Introduction
In this publication, we will talk about the bsdextended credential model; on the handbook it is described as a file system firewall. The advantage of this approach over the one that I described in this guide is the fact that it does not matter which file system is used, since restrictions will occur not by the labels on the files, but by the uid and gid of users.Training
All actions will be performed in jail , so you must initially configure jail. This guide is written with jail installed in the / jails / famp directory. First of all, install the necessary modules in βautorunβ, and also run them (these actions must be done not in jail) and set the ability to use ports 80, 443 of the www user without root rights:echo 'mac_portacl_load="YES"' >>/boot/loader.conf
echo 'mac_bsdextended_load="YES"' >> /boot/loader.conf
kldload mac_portacl.ko
kldload mac_bsdextended.ko
sysctl net.inet.ip.portrange.reservedlow=0
sysctl net.inet.ip.portrange.reservedhigh=0
sysctl security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443
echo 'net.inet.ip.portrange.reservedlow=0' >> /etc/sysctl.conf
echo 'net.inet.ip.portrange.reservedhigh=0' >> /etc/sysctl.conf
echo 'security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443' >> /etc/sysctl.conf
Next, in jail, you need to install the dependencies for building apache and php, as well as install the ports:pkg install apr autoconf autoconf-wrapper automake ca_root_nss cmake curl db5 dialog4ports expat fontconfig freetype2 gdbm gettext-runtime gettext-tools giflib gmake gmp gperf help2man indexinfo jbigkit jpeg-turbo jsoncpp libarchive libargon2 libffi libgcrypt libgd libgpg-error libiconv liblz4 libnghttp2 libtextstyle libtool libuv libxml2 libxslt libzip lzo2 m4 meson nasm ninja oniguruma p5-Locale-gettext p5-Locale-libintl p5-Text-Unidecode p5-Unicode-EastAsianWidth pcre pcre2 perl5 pkgconf png py37-Babel py37-Jinja2 py37-MarkupSafe py37-alabaster py37-asn1crypto py37-certifi py37-cffi py37-chardet py37-cryptography py37-cython py37-docutils py37-idna py37-imagesize py37-openssl py37-pycparser py37-pygments py37-pysocks py37-pystemmer py37-pytz py37-requests py37-setuptools py37-six py37-snowballstemmer py37-sphinx py37-sphinx_rtd_theme py37-sphinxcontrib-websupport py37-urllib3 python37 re2c readline rhash sqlite3 texinfo tiff webp openssl wget
portsnap fetch extract
Assembly
Let's go to the apache port directory, in this directory you need to "configure" the port so that it is installed in the / famp directory:mkdir /famp
cd /usr/ports/www/apache24
make config
make configure
cd work
cd httpd-2.4.43
./configure --prefix=/famp
cd ..//..
make BATCH=yes PREFIX=/famp install clean
After these manipulations, apache will be installed in the / famp directory, php cannot be installed in this way, therefore, install from the source code:cd /
wget https://www.php.net/distributions/php-7.4.5.tar.xz
xz -d php-7.4.5.tar.xz
tar -xvf php-7.4.5.tar
cd php-7.4.5
After these manipulations, you need to build php specifying the correct path to apxs:./configure --prefix=/famp --with-apxs2=/famp/sbin/apxs --with-openssl --with-zlib --with-curl --enable-mbstring --with-zip --enable-mysqlnd --enable-maintainer-zts --with-mysqli
gmake install
Customization
The next step will be the correct configuration of httpd.conf (as well as the rest of the necessary "config"), copying the rc.d directory and creating the necessary directories:mkdir /famp/log
mkdir /famp/run
cp -R /famp/etc/rc.d/ /usr/local/etc/rc.d
# /usr/local/etc/rc.d/apache24 , pid`
_pidprefix="/famp/run/httpd"
# httpd.conf
Mutex default:/famp/run
PidFile "/famp/run/httpd.pid"
ErrorLog "/famp/log/httpd-error.log"
CustomLog "/famp/log/httpd-access.log
#httpd-ssl.conf ( )
SSLSessionCache "shmcb:/famp/run/ssl_scache(512000)"
DocumentRoot "/famp/www/apache24/data"
ErrorLog "/famp/log/httpd-error.log"
TransferLog "/famp/log/httpd-access.log"
CustomLog "/famp/log/httpd-ssl_request.log"
<Directory "/famp/www/apache24/cgi-bin">
In order for all apache processes to start from under the name www, you need to set the setuid bit on the httpd file, and you also need to set the owner recursively to the www user directory famp and run apache:chown -R www:www /famp
chmod 4755 /famp/sbin/httpd
After apache is launched and the necessary log files are created, you can change the rights to the necessary directories and files, but before that you need to edit ldconfig. This utility is responsible for the paths to directories with various libraries, after changing the rights to the / lib, / usr / lib, usr / local / lib directories, the ldconfig utility will consider these directories as not legitimate, for this reason this utility must be run in unprotected mode. To view the paths, you must run the command:ldconfig -r
To run ldconfig in unprotected mode, you must run this utility with the i key:ldconfig -iR /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/perl5/5.30/mach/CORE
It is also necessary to copy the /usr/local/lib/libnghttp2.so.14 file to the / usr / lib directory (it is not clear why apache does not see it in the / usr / local / lib directory)cp /usr/local/lib/libnghttp2.so.14 /usr/lib/libnghttp2.so.14
Change the rights to directories and files necessary for apache to work correctly:# jail
chflags noschg /jails/famp/lib/libcrypt.so.5
chflags noschg /jails/famp/lib/libc.so.7
chflags noschg /jails/famp/lib/libthr.so.3
chflags noschg /jails/famp/usr/lib/librt.so.1
# jail
chown www:wheel /
chown -R www:www /famp
chown www:wheel /etc
chown www:wheel /tmp
chown -R www:wheel /dev
chown www:wheel /etc/passwd
chown www:wheel /etc/group
chown www:wheel /etc/pwd.db
chown www:wheel /lib
chown www:wheel /usr
chown www:wheel /usr/lib
chown www:wheel /usr/local
chown www:wheel /usr/local/lib
chown -R www:wheel /lib
chown -R www:wheel /usr/lib
chown -R www:wheel /usr/local/lib
sysrc apache24_enable="YES"
service apache24 start
After these manipulations, apache will have access to all the files that are necessary for its operation in an isolated environment, but in my opinion it is not entirely correct that all these files belong to the www user, for this reason immutability flags can be used, these flags must not be set and from jail, since by default jail starts with limited rights:chflags schg /jails/famp
chflags schg /jails/famp/etc
chflags schg /jails/famp/etc/passwd
chflags schg /jails/famp/etc/group
chflags schg /jails/famp/etc/pwd.db
chflags schg /jails/famp/lib
chflags schg /jails/famp/usr
chflags schg /jails/famp/usr/lib
chflags schg /jails/famp/usr/local
chflags schg /jails/famp/usr/local/lib
chflags -R schg /jails/famp/lib
chflags -R schg /jails/famp/usr/lib
chflags -R schg /jails/famp/usr/local/lib
chflags -R schg /jails/famp/famp
# ,
chflags -R noschg /jails/famp/famp/log
chflags -R noschg /jails/famp/famp/run
chflags -R noschg /jails/famp/famp/www/apache24/data/cache
# sunlink , ( tmp, cache, log, run , apache )
chflags sunlink /jails/famp/dev
chflags sunlink /jails/famp/tmp
chflags sunlink /jails/famp/famp/www/apache24/data/cache
chflags -R sunlink /jails/famp/famp/log
chflags sunlink /jails/famp/famp/run
# sappend , .. apache , .
chflags -R sappend /jails/famp/famp/log
The penultimate touch will be the creation of an executable file for setting up the necessary rights and starting apache, as well as starting ldconfig in unprotected mode (execute in jail):touch /etc/rc.d/0
chmod +x /etc/rc.d/0
#
ldconfig -iR /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/perl5/5.30/mach/CORE
# /dev sysctl pid` ssl
chown -R www:wheel /dev
service apache24 start
Finally, the final touch will be setting the parameter for bsdextended, you also need to create an executable file so that these restrictions work every time the system boots up (not in jail):touch /etc/rc.d/0
chmod +x /etc/rc.d/0
#
ugidfw set 2 subject uid www object ! uid www mode n
#
ugidfw set 2 subject uid www object ! uid www mode n
This option will prevent the www user from accessing files and directories that are not owned by the www user.Conclusion
As can be seen from this publication, such a method for limiting processes will lead to a high degree of security for the web server (as well as any other stack to which this method will be applied).List of sources that helped me a lot in writing this publication.www.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac-bsdextended.htmlwww.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac-portacl.html