Create a chroot "jail"
Ago, Unix / Linux on the daemon to root privileges are activated. At that time, this seems to be a natural thing, because, like the Apache server software such as the need to bind to the "well known" port on the (less than 1024) to monitor HTTP requests, and the root is the only such users.
However, as attackers increasingly frequent activities, in particular the number of buffer overflow vulnerabilities increase, so that server security has been an even greater threat. Once the existence of a network service vulnerability, the attacker will be able to access and control the entire system. Therefore, in order to mitigate this attack has a negative impact on server software is usually designed to root permissions to start, and then the server process to give up on its own root, then a system account with low privileges to run the process. The benefits of this approach is that once the service was the attacker exploited the invasion, as a result of the process of competence is very low, the attacker get access to it is based on the lower right of the system than ever before to reduce the harm of many.
Some attackers will try to find other loopholes in the system to enhance authority, until the root. The safety of the local security protection much lower than the long-range, so the attacker is likely to be found in the system can enhance things right. Even in the absence of a local vulnerability, an attacker may also cause other damage, such as deleted files, altered home page.
To further enhance the system security, Linux kernel chroot mechanism was introduced. chroot is a kernel system call, the software can be by calling the library function chroot, to change a process can see the root directory. For example, Apache software is installed in / usr / local / httpd / directory to root user (or other authority has the same account) to start Apache, the root permissions will be derived from the parent process to a number of sub-nobody permission to run the process, the specific depending on personal settings. Since the request of the parent process to monitor tcp port 80 data stream, and then an internal algorithm based on the request will be assigned to a child process to deal with it. When Apache child process inherited from the directory in which the parent process, that is, / usr / local / httpd /.
However, once the directory permissions are set wrong, the Apache attack sub-process can access / usr / local, / usr, / tmp, or even the entire file system, because the Apache process, which is still the root of the root of the entire file system. If we can limit the use of Apache in chroot to / usr / local / httpd /, then, Apache can access the documents have been / usr / local / httpd / under the subdirectory under the document or documents. Create a chroot "jail" role is to process the file system permissions to restrict the directory tree of a sub-tree.
Why do I need to jail
The software of a chroot problem is the software needed to run all programs, configuration files and library files must be installed prior to the chroot directory, usually called the directory for the chroot jail (chroot "jail"). If you want to in the "prison" run / sbin / httpd, and indeed can not see the file system in the real / sbin directory. Therefore create the need for prior / sbin directory, and copy it to one of httpd. At the same time, a few library files httpd implementation of the following command to see the library file (the file system in a real run).
# ldd / sbin / httpd
libaprutil-0.so.0 => / usr/local/httpd/lib/libaprutil-0.so.0 (0x40017000)
libgdbm.so.2 => / usr/lib/libgdbm.so.2 (0x4003c000)
libdb-4.0.so => / lib/libdb-4.0.so (0x40043000)
libpthread.so.0 => / lib/tls/libpthread.so.0 (0x400eb000)
libexpat.so.0 => / usr/lib/libexpat.so.0 (0x400f8000)
libapr-0.so.0 => / usr/local/httpd/lib/libapr-0.so.0 (0x40118000)
librt.so.1 => / lib/librt.so.1 (0x40139000)
lIBM.so.6 => / lib/tls/lIBM.so.6 (0x4014b000)
libcrypt.so.1 => / lib/libcrypt.so.1 (0x4016d000)
libnsl.so.1 => / lib/libnsl.so.1 (0x4019a000)
libdl.so.2 => / lib/libdl.so.2 (0x401af000)
libc.so.6 => / lib/tls/libc.so.6 (0x42000000)
/ lib/ld-linux.so.2 => / lib/ld-linux.so.2 (0x40000000)
This means that also need to "jail" to create a lib directory, and copy files to which the Treasury. This work can be completed by computer, using software packages such as jail to help simplify the chroot "jail" the process of the establishment.
Compile and install the jail
Http://www.jmcresearch.com/static/dwn/projects/jail/jail.tar.gz can be downloaded from the latest version of the jail, which is located http://www.jmcresearch.com/projects/jail/ The jail chroot development project team. The package includes help automatically create a chroot "jail" of the C program, Perl and Bash scripts procedures.
First of all, will be placed in any directory jail.tar.gz, and then the implementation of the command:
# tar xzvf jail.tar.gz & & cd jail / src
Modified in accordance with the actual situation of individuals makefile file, especially the installation path (default installation path is / usr / local), architecture (jail support for Linux, FreeBSD, IRIX and Solaris), as well as the compiler options. Finally, the implementation of the command:
# make & & make install
For the jail to create chroot "jail"
Now create a directory as a chroot "jail" to / var / chroot / as an example. The implementation of the following command to chroot "jail" to create the environment:
# / usr / local / bin / mkjailenv / var / chroot
This "prison" built on the. package jail several Perl scripts provided as part of its core order, including mkjailenv, addjailuser and addjailsw. If addjailsw from the real file system and copy the binary executable file and other related documents (including library files, documents and equipment-assisted documentation) to the "prison" in the.
To jail "prison" Add software
Then the need for the "jail" some additional software in order to make it up and running. The following command to install some basic software, including ls, cat, cp and other procedures and so on ld-linux.so.2 library file.
# / usr / local / bin / addjailsw / var / chroot
In fact, only these basic software is not enough, need to make some really useful things with restrictions. The following example shows a "prison" arp add procedure:
# / usr / local / bin / addjailsw / var / chroot-P arp
addjailsw
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas
Guessing arp args (0)
Warning: file. / / Lib/tls/libc.so.6 exists. Overwritting it
Warning: file. / / Lib/ld-linux.so.2 exists. Overwritting it
Warning: file. / / Etc / ld.so.cache exists. Overwritting it
Warning: file. / / Usr / lib / locale / locale-archive exists. Overwritting it
Warning: file. / / Usr / share / locale / locale.alias exists. Overwritting it
Warning: can't create / proc / net / arp from the / proc filesystem
Done.
Apache server software and then as an example:
# addjailsw / var / chroot /-P / usr / local / httpd / bin / httpd
addjailsw
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas
Guessing / usr / local / httpd / bin / httpd args (0)
Warning: file / var / chroot / / lib/libssl.so.4 exists. Overwritting it
Warning: file / var / chroot / / lib/libcrypto.so.4 exists. Overwritting it
Warning: file / var / chroot / / lib/libresolv.so.2 exists. Overwritting it
... ...
Done.
Not about whether there are any warning message because the jail will be called httpd use ldd to check the library file. And almost all based on the shared library binary executable files need to document the number of the Treasury.
Next Apache related documents will be copied to the "prison" in:
# cp-a / usr / local / httpd / / var / chroot / usr / local /
Followed by the personal circumstances under Apache needs to copy files to "jail" in the.
"Imprisonment" of prisoners
Sometimes the need for the chroot "jail" to create a new user, such as the Apache user nobody calling for the creation of sub-process as a user. In view of the use of other processes may be nobody, users can also use another - httpd. First need to create a system in real httpd user:
# useradd-d / var / chroot-s / usr / local / bin / jail httpd
Then run the following command in the chroot "jail" users create httpd:
# / usr / local / bin / addjailuser / var / chroot / usr / local / httpd / usr / sbin / httpd httpd
Then modify / var / chroot / usr / local / httpd / conf / httpd.conf, replace the User nobody will User httpd. After the chroot as a result of the identity of Apache will start the httpd process, only root will have the right to bind Apache port in the low (usually 80), therefore also need to modify the port value, the value must be greater than 1024 (assumed to be 8080). This change should be applied to all the Apache configuration file, including the virtual host configuration. As for the other Apache settings, and in the real file system can be configured the same.
The next step is to copy a number of other documents. Start Apache is the most common way to call apachectl, this is a Bash script. See this document, you will find the following line:
HTTPD = '/ usr / local / httpd / bin / httpd'
LYNX = "lynx-dump"
ULIMIT_MAX_FILES = "ulimit-S-n` ulimit-H-n `"
ARGV = "-h"
$ HTTPD-k $ ARGV
$ HTTPD-k start-DSSL
$ HTTPD-t
$ LYNX $ STATUSURL | awk '/ process $ / (print; exit) (print)'
Which ulimit, lynx and awk are complementary procedures. Also important to note that the procedure using different parameters, you may use a different library file, so in order to allow full operation of Apache, use the following command to keep track of all possible documents:
# / usr / local / bin / addjailsw / var / chroot-P httpd "-k start-DSSL"
Replacement of the above-mentioned parameters with the parameters in the quotation marks, the completion of all work.
Finally, let the success of Apache up and running the jail:
# su - httpd &
Open a browser to test, visit the Web server to remember to add port number 8080.
Advanced Application jail
In the previous presentation, the use of a jail in the three packages Perl script. Detail here the use of these three scripts so that advanced users.
mkjailenv
Usage: mkjailenv chrootdir
Role: Create chroot "jail" directory, and file system from the true copy of the basic software environment.
Parameters:
chrootdir specified chroot "jail" the path.
addjailsw
Usage: addjailsw chrootdir [-D] [-P program args]
Role: from a true copy of the file system specified in the document and its relevant documents.
Parameters:
chrootdir specified chroot "jail" the path.
-D show detailed information.
-P program args designated to be added to the "prison" of the software. program can be a file name, the document can also be a full path; args is a parameter. For example, the implementation can be addjailsw:
# addjailsw / var / chroot-P vi "-c q"
addjailuser
Usage: addjailuser chrootdir userdir usershell username
Role: to create a new chroot "jail" users.
Parameters:
chrootdir specified chroot "jail" the path.
Add User userdir the appointment of a new home directory (as opposed to chroot "jail" directory).
usershell the appointment of a new Shell users the full path (eg / bin / bash).
Add username as a new user name.
For example:
# addjailuser / var / chroot / home / ftp / bin / csh ftp
This script will automatically amend the "prison" in the / etc / passwd, / etc / group and / etc / shadow file.
From the above, if only to make a software run on Apache "prison" in, mkjailenv seems too "enthusiastic", and therefore can not run mkjailenv / var / chroot command, but only running addjailsw / var / chroot-P httpd or END debugging chroot "jail" to delete unnecessary files, and modify / etc / passwd in excess of user information. And that brings me, and now most popular Web sites use Apache + PHP + MySQL + SSL mix (there may be FTP, Mail, Perl and other components), so you can create a fully integrated Web "prison." System administrator for the "prison" set up the software environment, of course, this environment cover only the maintenance of Apache + PHP + MySQL + SSL essential tools for these components, such as the use of Bash, SSH, or upload software such as compilers. This may be a huge project, but very meaningful. Reference to the above method, we can try to perfect the jail to the server.
0 评论:
发表评论