jailによるセキュアサーバー環境

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


Part3 jail

FreeBSD chrootjail(8)
jailIP





Part3jailWeb
Web Apache 



WebWeb
jail
IPWeb
 

---[ ]------------------------------------------------------------
Apache

                      +---///--- the Internet...
		     /
	            /
  +------- /(IP)---------------------+
  |               /
  |     +---- httpd.conf -----+
  |     |  .....              |
  |     |  ............       | 1
  |     |  .....              |
  |     +---------------------+
  |     /           \         \--
  |  +-- www1 --+  +-- www2 --+   \
  |  | Virtual  |  | Virtual  |   +-- www3 --+
  |  |  Host 1  |  |  Host 2  |   | Virtual  |
  |  +----------+  +----------+   |   Host 3 |  . . . . . .
  |  			          +----------+
  |
  +----------------------------------------------------------------+



Jail


                +------------------+---------------+--/// the Internet...
	       /                  /               /
	      /                  /               /
  +------- //(/IP)--/------------------+
  |         /                  /               /
  |  +--- jail  1 --+  +--- jail  2 --+  +--- jail  3 --+  
  |  | [httpd.conf] |  | [httpd.conf] |  | [httpd.conf] |
  |  |		    |  |	      |	 |		|
  |  +--------------+  +--------------+  +--------------+
  |     jail
  |
  |
  +----------------------------------------------------------------

----------------------------------------------------------------------


jail


Part2chroot(8)
jail

jailIP

jailIP





chroot

chrootchrootkill

jailjail
 

---[ ]--------------------------------------------------------

----------------------------------------

# ps axl
  UID   PID  PPID CPU PRI NI   VSZ  RSS MWCHAN STAT  TT       TIME COMMAND
    0     0     0   0 -16  0     0    4 sched  DLs   ??    0:03.50  (swapper)
    0     1     0   0   8  0   740  376 wait   ILs   ??    0:00.65 /sbin/init -
    0     2     0   0  -8  0     0   12 g_even DL    ??    5:24.70  (g_event)
    0     3     0   0  -8  0     0   12 g_up   DL    ??    5:21.52  (g_up)
    0     4     0   0  -8  0     0   12 g_down DL    ??    5:46.93  (g_down)
    0     5     0   0 -16  0     0   12 psleep DL    ??    0:06.82  (pagedaemon
    0     6     0   8  20  0     0   12 psleep DL    ??    0:00.00  (vmdaemon)
    0     7     0   0 171  0     0   12 pgzero DL    ??    0:14.61  (pagezero)
    0     8     0   0 -16  0     0   12 psleep DL    ??    0:33.46  (bufdaemon)
       :
       :
       :
    0   431     1   3   8  0  1612 1304 wait   Is    v0    0:01.66 login [pam]
 2020   597   431   0  20  0  2472 2180 pause  I     v0    0:04.15 -zsh (zsh)
 2020   927   597   0   5  0   224  120 ttyin  I+    v0    0:00.03 cat
    0   432     1 134   5  0  1236  908 ttyin  Is+   v1    0:00.15 /usr/libexec


----------------------------------------

chroot
# 
  UID   PID  PPID CPU PRI NI   VSZ  RSS MWCHAN STAT  TT       TIME COMMAND
    0     0     0   0 -16  0     0    4 sched  DLs   ??    0:03.51  (swapper)
    0     1     0   0   8  0   740  376 wait   ILs   ??    0:00.65 /sbin/init -
    0     2     0   0  -8  0     0   12 g_even DL    ??    5:24.88  (g_event)
    0     3     0   0  -8  0     0   12 g_up   DL    ??    5:21.66  (g_up)
    0     4     0   0  -8  0     0   12 g_down DL    ??    5:47.13  (g_down)
    0     5     0   0 -16  0     0   12 psleep DL    ??    0:06.83  (pagedaemon
    0     6     0   8  20  0     0   12 psleep DL    ??    0:00.00  (vmdaemon)
    0     7     0   0 171  0     0   12 pgzero DL    ??    0:14.61  (pagezero)
    0     8     0   0 -16  0     0   12 psleep DL    ??    0:33.48  (bufdaemon)
       :
       :
       :
    0   431     1   3   8  0  1612 1304 wait   Is    v0    0:01.66 login [pam]
 2020   597   431   0  20  0  2472 2180 pause  I     v0    0:04.15 -zsh (zsh)
 2020   927   597   0   5  0   224  120 ttyin  I+    v0    0:00.03 cat
    0   432     1 134   5  0  1236  908 ttyin  Is+   v1    0:00.15 /usr/libexec



----------------------------------------
jail

# ps axl
  UID   PID  PPID CPU PRI NI   VSZ  RSS MWCHAN STAT  TT       TIME COMMAND
    0   986   632   0   8  0   896  588 wait   SJ    p0    0:00.18 /bin/sh
    0   990   986   2  96  0   656  432 -      R+J   p0    0:00.02 ps axl


jail

----------------------------------------------------------------------

jailID



root

jail(UID=0)



	* 
	* IP
	  
	*  mount/umount
	* 
	* raw, divert, 
	* sysctl
	* 
	* jail



	* jail
	* jail
	  ()
	* jailIPTCP/UDP
	  
	* uid/gid


jailrootjail

root




jail


jail jail(8) 
FreeBSD
5.1-RELEASE(5.1R)FreeBSD 4.x 
5.1R4.xjail
jail jls jail
jail jexec 


jail

jailIPv4
IPv4 
jail IP alias 
 

---[ ]------------------------------------------------------------

    +------------------- jailhost ---------------------+
    |							 |
    |			  +------------+ +------------+	 |
    |	  |jail 1| |jail 2|	 |
    |		/	  +---+--------+ +---+--------+	 |
    |	  _____/_____________/______________/___	 |
    |    /    /    Network  / Interface    /    \	 |
    +---|  10.1.2.100   10.1.2.101   10.1.2.102  |-------+
           1	2    3
			(alias)	     (alias)
----------------------------------------------------------------------


/etc/rc.conf 
 fxp0  
 rc.conf 

	ifconfig_fxp0='inet 10.1.2.100 netmask 255.255.255.0'
	ifconfig_fxp0_alias0='inet 10.1.2.101 netmask 255.255.255.255'
	ifconfig_fxp0_alias1='inet 10.1.2.102 netmask 255.255.255.255'



	
	aliasLISTEN

jail1jail
2 sshd 
 sshd aliasLISTENsshd
 /etc/ssh/sshd_config 

	ListenAddress 0.0.0.0

LISTEN
10.1.2.101,  10.1.2.102 jail
sshdssh
 sshd_config 

	ListenAddress 10.1.2.100
	ListenAddress 127.0.0.1

sshLISTENIPv4
jailapache
 httpd.conf  Listen 

	Listen 0.0.0.0:80

	Listen 10.1.2.100:80
	Listen 127.0.0.1:80





jail

EXAMPLE"Setting up a Jail Directory Tree" 
FreeBSD 


     D=/here/is/the/jail
     cd /usr/src
     mkdir -p $D
     make world DESTDIR=$D
     cd etc
     make distribution DESTDIR=$D
     mount_devfs devfs $D/dev
     cd $D
     ln -sf dev/null kernel


jail


     In many cases this example would put far more stuff in the jail than is
     needed.  In the other extreme case a jail might contain only one single
     file: the executable to be run in the jail.

jail
jail
 Part2 chroot

Part2 "put far more stuff" 
Part2


 2 alias 


	IP		10.1.2.101
			prison.example.net 
	jail	/opt/jail/prison
		httpdCGI

jail


httpdjail

jailjail
ntpDNS
jail
jail
OS


jail apache(httpd) Web
CGI


 

Part2CGI


---[ ]------------------------------------------------------

chroot /bin (ls )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[              dd             link           pwd            sleep
cat            echo           ln             realpath       stty
chflags        ed             ls             red            sync
chmod          expr           mkdir          rm             tcsh
cp             getfacl        mv             rmdir          test
csh            hostname       pax            setfacl        unlink
date           kill           ps             sh             zsh

chroot /etc (ls )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
devfs.conf      localtime       pwd.db          spwd.db
hosts           master.passwd   resolv.conf


chroot /sbin (ls )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ifconfig        ldconfig        md5

chroot /usr/libexec (ls )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ld-elf.so.1     tcpd

chroot /usr/sbin (ls )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
chown           jls             sshd            tcpdmatch
chroot          pstat           syslogd         vipw
inetd           pw              tcpdchk

--------------------------------------------------------------------

 


tmp

  

	# cd /opt/jail/prison
	# mkdir -p -m 1777 tmp var/tmp



  /usr/bin  /usr/local/bin CGI
  jail
  
	* /usr/bin
	* /usr/libexec
	* /usr/local

  jail
  
  

	# mount -t nullfs -r /usr/lib /opt/jail/prison/usr/lib
	# mount -t nullfs -r /usr/bin /opt/jail/prison/usr/bin
	# mount -t nullfs -r /usr/local /opt/jail/prison/usr/local

---[ ]------------------------------------------------------------
FreeBSD 4 nullfs null 
20016 nullfs 
4.8R  5.1R  nullfs 

 unionfs 4.7R

----------------------------------------------------------------------

  -r  read-only jail

(/dev)

  Part2 FreeBSD 5.1R  devfs 
  jail
   devfs 

  devfs(8)devfs
  
  
  

	# devfs rule -s  delset           . . . . (1)
	# devfs rule -s  	  . . . . (2)

  1()2
  

  jail

	null, zero, random, urandom

  4
  10
  delset 

	# devfs rule -s 10 delset

  (hide)

	# devfs rule -s 10 add hide

  4(unhide)

	# devfs rule -s 10 add path null unhide
	# devfs rule -s 10 add path zero unhide
	# devfs rule -s 10 add path random unhide
	# devfs rule -s 10 add path urandom unhide

  

	# devfs rule -s 10 show
	  ~~~~~~~~~~~~~~~~~~~~~
	100 hide
	200 path null unhide
	300 path zero unhide
	400 path random unhide
	500 path urandom unhide

   100, 200, ... 
   jail  /dev 
  devfs

	# mkdir /opt/jail/prison/dev
	# mount -t devfs devfs /opt/jail/prison/dev

  10

	# devfs -m /opt/jail/prison/dev rule -s 10 applyset

  

	# ls /opt/jail/prison/dev
	  ~~~~~~~~~~~~~~~~~~~~~~~
	null            random          urandom         zero

   devfs  devfs(8) 
  

  
  

   /etc/fstab 

	devfs  	/opt/jail/prison/dev	devfs	rw	0	0


  jail
  ()

jail

jailjail(8)jail

	jail []   IP 

jail
IPjail
jailjail


jail

	a. jailjail
	b. jail

2

jail

  devfsjail 
  

---[ ]--------------------------------------------------------
/opt/jail/start-prison.sh
~~~~~~~~~~~~~~~~~~~~~~~~~
	#!/bin/sh
	# devfs 
	devfs rule -s 10 delset
	devfs rule -s 10 add hide
	devfs rule -s 10 add path null unhide
	devfs rule -s 10 add path zero unhide
	devfs rule -s 10 add path random unhide
	devfs rule -s 10 add path urandom unhide
	devfs -m /opt/jail/prison/dev rule -s 10 applyset
	# jail
	/usr/sbin/jail /opt/jail/prison prison.example.net 10.1.2.101 /etc/rc
----------------------------------------------------------------------

     jail  /etc/rc 
   b. 
   

---[ ]--------------------------------------------------------
/opt/jail/etc/rc
~~~~~~~~~~~~~~~~

	#!/bin/sh
	exec /bin/csh
----------------------------------------------------------------------

jail(a.)

	# /opt/jail/start-prison.sh
	  ~~~~~~~~~~~~~~~~~~~~~~~~~
	#





Web


 Web 
Web


Apache2

 Apache 2.0.47 ( httpd-2.0.47.tar.gz) 
configure
makePREFIX /usr/apache2 


	# tar zxpf httpd-2.0.47.tar.gz
	# ./configure --prefix=/usr/apache2 && make


jail
 

---[ ]------------------------------------------------------------
autoconf 
make install  make DESTDIR=/opt/jail/prison install 
$DESTDIR
Apache2  expat 
 Makefile  $DESTDIR 

----------------------------------------------------------------------

	# make install
	# mv /usr/apache2 /opt/jail/prison/usr

jailApache//

jail ,
jailApache (jail)# 
jail

	(jail)# /usr/apache2/bin/apachectl start

jailHTTP


	()
	% telnet 10.1.2.101 80
	  ~~~~~~~~~~~~~~~~~~~~
	Trying 10.1.2.101 80
	Connected to prison.example.net
	Escape character is '^]'.
	GET /
	~~~~
	
	
	
	  :
	  :
	  :


Apache

	(jail)# /usr/apache2/bin/apachectl stop

	(jail)# /usr/apache2/bin/apachectl restart

apachectl
Apache

FreeBSD 5.1R jail
jail(JID)jls


	# jls
	   JID  IP Address      Hostname                 Path
	     3  10.1.2.101   prison.example.net        /opt/jail/prison

35.1R  jexec jail


	# jexec 3 /bin/sh

jailjexecjail
FreeBSD 4.xjexecjail
SSH


jailWebapache
/opt/jail/prison/etc/rc 



jail

Web ~/public_html 
jail



Webjail

Part2
jail
 XX((Part2 ))  
Makefile /opt/jail/prison/etc 
jail
jail etc/passwd UID1000


	# cd /opt/jail/prison			(jail)
	  ~~~~~~~~~~~~~~~~~~~
	# exec sh				(/bin/sh)
	# grep -v '^#' etc/passwd \
	  | awk -F: '$3 >= 1000 {print $1,$6}' \
	  | while read user dir; do
	      mkdir -p ./$dir/public_html
	      chown -R $user ./$dir
	      ls -ld ./$dir
	    done

 ~/public_html 



	taro
	taro% ln -s /opt/jail/prison/home/taro/public_html ~/


jail

jailjail
jail
(pw, vipw)jail



jailsshd
sshdjail 


	* /etc/sshd/ SSH
	* sshd /var/empty 
	* /etc/pam.d/sshd
	* /usr/lib pam
	* (devfs)
	* termcap (/usr/share/misc/termcap.db)
	* 

devfs devfs


	()
	devfs rule -s 10 add path 'tty*' unhide
	devfs -m /opt/jail/prison/dev rule -s 10 applyset

jail sshd 
Part2


ssh
jailIPLISTEN




Webjail
IPjail



jail


jail

jail
jail
jail



jail

Webftp

jail

jail





yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]