介绍
在本出版物中,我们将讨论bsdextended凭证模型;在手册中将其描述为文件系统防火墙。与我在本指南中描述的方法相比,这种方法的优势在于使用哪个文件系统都无关紧要,因为限制的发生不是由文件上的标签引起,而是由用户的uid和gid引起。训练
所有操作将在jail中执行,因此您必须首先配置jail。本指南是在/ jails / famp目录中安装的jail编写的。首先,在“自动运行”中安装必要的模块,然后运行它们(这些操作必须在监狱中完成),并设置使用www用户的端口80、443的能力,而无需root用户权限:echo 'mac_portacl_load="YES"' >>/boot/loader.conf
echo 'mac_bsdextended_load="YES"' >> /boot/loader.conf
kldload mac_portacl.ko
kldload mac_bsdextended.ko
sysctl net.inet.ip.portrange.reservedlow=0
sysctl net.inet.ip.portrange.reservedhigh=0
sysctl security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443
echo 'net.inet.ip.portrange.reservedlow=0' >> /etc/sysctl.conf
echo 'net.inet.ip.portrange.reservedhigh=0' >> /etc/sysctl.conf
echo 'security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443' >> /etc/sysctl.conf
接下来,在监狱中,您需要安装用于构建apache和php的依赖项,还需要安装端口:pkg install apr autoconf autoconf-wrapper automake ca_root_nss cmake curl db5 dialog4ports expat fontconfig freetype2 gdbm gettext-runtime gettext-tools giflib gmake gmp gperf help2man indexinfo jbigkit jpeg-turbo jsoncpp libarchive libargon2 libffi libgcrypt libgd libgpg-error libiconv liblz4 libnghttp2 libtextstyle libtool libuv libxml2 libxslt libzip lzo2 m4 meson nasm ninja oniguruma p5-Locale-gettext p5-Locale-libintl p5-Text-Unidecode p5-Unicode-EastAsianWidth pcre pcre2 perl5 pkgconf png py37-Babel py37-Jinja2 py37-MarkupSafe py37-alabaster py37-asn1crypto py37-certifi py37-cffi py37-chardet py37-cryptography py37-cython py37-docutils py37-idna py37-imagesize py37-openssl py37-pycparser py37-pygments py37-pysocks py37-pystemmer py37-pytz py37-requests py37-setuptools py37-six py37-snowballstemmer py37-sphinx py37-sphinx_rtd_theme py37-sphinxcontrib-websupport py37-urllib3 python37 re2c readline rhash sqlite3 texinfo tiff webp openssl wget
portsnap fetch extract
部件
让我们转到apache port目录,在此目录中,您需要“配置”端口,以便将其安装在/ famp目录中:mkdir /famp
cd /usr/ports/www/apache24
make config
make configure
cd work
cd httpd-2.4.43
./configure --prefix=/famp
cd ..//..
make BATCH=yes PREFIX=/famp install clean
完成这些操作后,apache将安装在/ famp目录中,无法以这种方式安装php,因此我们将从源代码安装它:cd /
wget https://www.php.net/distributions/php-7.4.5.tar.xz
xz -d php-7.4.5.tar.xz
tar -xvf php-7.4.5.tar
cd php-7.4.5
完成这些操作后,您需要构建php,以指定apxs的正确路径:./configure --prefix=/famp --with-apxs2=/famp/sbin/apxs --with-openssl --with-zlib --with-curl --enable-mbstring --with-zip --enable-mysqlnd --enable-maintainer-zts --with-mysqli
gmake install
客制化
下一步将是正确配置httpd.conf(以及其余必要的“ config”),复制rc.d目录并创建必要的目录:mkdir /famp/log
mkdir /famp/run
cp -R /famp/etc/rc.d/ /usr/local/etc/rc.d
# /usr/local/etc/rc.d/apache24 , pid`
_pidprefix="/famp/run/httpd"
# httpd.conf
Mutex default:/famp/run
PidFile "/famp/run/httpd.pid"
ErrorLog "/famp/log/httpd-error.log"
CustomLog "/famp/log/httpd-access.log
#httpd-ssl.conf ( )
SSLSessionCache "shmcb:/famp/run/ssl_scache(512000)"
DocumentRoot "/famp/www/apache24/data"
ErrorLog "/famp/log/httpd-error.log"
TransferLog "/famp/log/httpd-access.log"
CustomLog "/famp/log/httpd-ssl_request.log"
<Directory "/famp/www/apache24/cgi-bin">
为了使所有apache进程都从名称www下启动,有必要在httpd文件上设置setuid位,还必须将所有者递归地设置为用户www的famp目录并运行apache:chown -R www:www /famp
chmod 4755 /famp/sbin/httpd
启动apache并创建必要的日志文件后,您可以将权限更改为必要的目录和文件,但是在此之前,您需要编辑ldconfig。此实用程序负责使用各种库访问目录,在更改/ lib,/ usr / lib,usr / local / lib目录的权限后,ldconfig实用程序将认为这些目录是非法的,因此,此实用程序必须在不受保护的模式下运行。要查看路径,请运行以下命令:ldconfig -r
要以不受保护的方式运行ldconfig,必须使用i键运行该实用程序:ldconfig -iR /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/perl5/5.30/mach/CORE
还需要将/usr/local/lib/libnghttp2.so.14文件复制到/ usr / lib目录(不清楚为什么apache在/ usr / local / lib目录中看不到它)cp /usr/local/lib/libnghttp2.so.14 /usr/lib/libnghttp2.so.14
更改对目录和文件的权限,以使apache正常工作:# jail
chflags noschg /jails/famp/lib/libcrypt.so.5
chflags noschg /jails/famp/lib/libc.so.7
chflags noschg /jails/famp/lib/libthr.so.3
chflags noschg /jails/famp/usr/lib/librt.so.1
# jail
chown www:wheel /
chown -R www:www /famp
chown www:wheel /etc
chown www:wheel /tmp
chown -R www:wheel /dev
chown www:wheel /etc/passwd
chown www:wheel /etc/group
chown www:wheel /etc/pwd.db
chown www:wheel /lib
chown www:wheel /usr
chown www:wheel /usr/lib
chown www:wheel /usr/local
chown www:wheel /usr/local/lib
chown -R www:wheel /lib
chown -R www:wheel /usr/lib
chown -R www:wheel /usr/local/lib
sysrc apache24_enable="YES"
service apache24 start
经过这些操作后,apache将可以访问在隔离的环境中进行操作所需的所有文件,但我认为所有这些文件都属于www用户并不完全正确,因此可以使用不可变性标志,因此不能设置这些标志,并且从监狱开始,因为默认情况下监狱以有限的权限开始:chflags schg /jails/famp
chflags schg /jails/famp/etc
chflags schg /jails/famp/etc/passwd
chflags schg /jails/famp/etc/group
chflags schg /jails/famp/etc/pwd.db
chflags schg /jails/famp/lib
chflags schg /jails/famp/usr
chflags schg /jails/famp/usr/lib
chflags schg /jails/famp/usr/local
chflags schg /jails/famp/usr/local/lib
chflags -R schg /jails/famp/lib
chflags -R schg /jails/famp/usr/lib
chflags -R schg /jails/famp/usr/local/lib
chflags -R schg /jails/famp/famp
# ,
chflags -R noschg /jails/famp/famp/log
chflags -R noschg /jails/famp/famp/run
chflags -R noschg /jails/famp/famp/www/apache24/data/cache
# sunlink , ( tmp, cache, log, run , apache )
chflags sunlink /jails/famp/dev
chflags sunlink /jails/famp/tmp
chflags sunlink /jails/famp/famp/www/apache24/data/cache
chflags -R sunlink /jails/famp/famp/log
chflags sunlink /jails/famp/famp/run
# sappend , .. apache , .
chflags -R sappend /jails/famp/famp/log
倒数第二个工作是创建可执行文件,以设置必要的权限并启动apache,以及在不受保护的模式下启动ldconfig(在监狱中执行):touch /etc/rc.d/0
chmod +x /etc/rc.d/0
#
ldconfig -iR /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/perl5/5.30/mach/CORE
# /dev sysctl pid` ssl
chown -R www:wheel /dev
service apache24 start
最后,最后一步是为bsdextended设置参数,您还需要创建一个可执行文件,以便每次系统启动时这些限制都起作用(不在监狱中):touch /etc/rc.d/0
chmod +x /etc/rc.d/0
#
ugidfw set 2 subject uid www object ! uid www mode n
#
ugidfw set 2 subject uid www object ! uid www mode n
此选项将阻止www用户访问非www用户拥有的文件和目录。结论
从该出版物可以看出,这种用于限制进程的方法将导致Web服务器(以及将应用此方法的任何其他堆栈)具有高度的安全性。有助于我撰写本出版物的资源清单。www.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac-bsdextended.htmlwww.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac-portacl.html