常见问题常见问题   搜索搜索   会员列表会员列表   团队团队   注册注册    个人资料个人资料   登录查看您的站内信件登录查看您的站内信件   登录登录 

FreeBSD & Jail

 
发表新文章   这个论题已经被锁定,您不能发表、回复或者编辑文章。    FreeBSD China -> 中文-桌面-开发-调试
阅读上一个主题 :: 阅读下一个主题  
作者 留言
ldconfig
精神病


注册时间: 2002-06-09
文章: 1090

文章发表于: Fri 2002-10-11 14:40:25    发表主题: FreeBSD & Jail 引用并回复

Jail 命令在FreeBSD 4.0中首次出现。用于“监禁”进程以及其衍生的子进程。而且jail和FreeBSD本身的secure_level合并使用可以显著限制(jail中的)root的能力。

假设某一个应用程序在系统内中运行,一段时间之后该应用程序被发现包含有致命的安全漏洞,如果在通常的系统中,这个应用程序可能已经在这个上面构成了漏洞,甚至cracker们已经成功地攻破这一应用并且成为root,控制了系统;但假如该应用程序放在jail内运行,即使cracker们已经攻破系统,也无法访问到jail之外系统的其他部分。因为尽管应用程序可以在jail之中自由活动,但是无法获得更多权限以及访问在jail之外的任何资源。通过这一特性,在系统管理上面可以做到防范未知漏洞,避免这些潜在的漏洞对整个系统的安全构成威胁。

jail通常有两类应用方向:

一、对应用程序的活动能力进行限制。

比如ftp服务器,DNS服务器,这样一些东西,比如wu-ftpd,bind这样一些隔三岔五就会爆出漏洞的“著名”软件放到jail里面会让人更加放心。

二、受控制的主机。

某些时候,需要对外提供有shell的管理性访问,比如作为某公司A,其合作单位B有某项目需要在A的机器上获得shell乃至root权限,这就需要提供受控制的主机,用户可以在jail里面控制几乎所有他需要的资源(除了jail不允许他访问的部分)。

第一类应用并不是非常复杂,实际上这类应用实现方法相对简单,只要在Linux下面玩过chroot就没有什么大问题;第二类应用则有很多有趣的特性,而jail最吸引人的部分也是这些很有趣的特性。

下面从最简单的部分开始:

第一类:限制应用程序活动能力

首先按照通常习惯的方式安装好你想要jail的应用程序,下面我们将会使用pure-ftpd(我不是很熟悉它,只不过顺手拿过来而已,据说还算好用)作为例子。

这个ftpd的安装位置,默认为:/usr/local/sbin;/usr/local/bin;在/etc下面还有一些相关的文件,整个结构感觉不是特别干净,不过它运行需要的东西并不很多,包括 /usr/local/sbin/pure-ftpd , /etc/xxx /etc/xxxx 这样一些文件。

接下来先用ldd看看/usr/local/sbin/pure-ftpd需要的那些运行库:



tester# cd /usr/local/sbin

tester# ldd pure-ftpd

pure-ftpd:

libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2807b000)

libpam.so.1 => /usr/lib/libpam.so.1 (0x28094000)

libc.so.4 => /usr/lib/libc.so.4 (0x2809d000)



这样我们的工作任务清单上面就多出来这样一些东西了: /usr/lib/......

使用ldd我们还可以获得其他一些需要放入jail的程序的运行库位置,信息搜集完成之后,我们开始建立jail目录树(这里我们假定jail环境构造在/jail内,当然你也可以选择你喜欢的位置):



tester# mkdir -p /jail/usr/{lib,libexec,local/sbin,local/bin,local/etc,etc,var/run,var/log}



然后将上面列出的,libcrypt.so.2 等这些文件都复制到对应位置。当然还有我们FreeBSD下非常重要的一个文件ld-elf.so.1,尽管ldd没有给出提示,也还需要复制过去,否则应用程序也跑不起来。这样我们就获得了一个很干净(最小化)的应用程序运行环境jail命令的格式是:



jail path hostname ip-number command



下面开始在jail里面运行它:



tester# jail /jail jailed.host.name $JAILED_IP_ADDR /usr/local/sbin/pure-ftpd [options]



这里,/jail是你的jail环境的位置,也就是被jail之后,应用程序“以为”自己所在的“/”的位置;jailed.host.name是你打算提供给这个jail环境的主机名,某些情况下,应用程序需要知道这个变量;$JAILED_IP_ADDR是你打算提供ftp服务(如果是其他应用软件,那就是其他服务咯,比如web服务)的那个IP地址,至于/usr/local/sbin/pure-ftpd [options] 则是你打算运行的那个应用程序在jail里面的所在位置以及运行所需的参数。

然后用ps 查看一下进程状态:



tester# ps -axf |grep pureftpd

95 ?? IsJ 0:00.92 pure-ftpd (SERVER) (pure-ftpd)



可以看到所有这些pure-ftpd的进程都有一个J,标志这这一程序正在jail下面运行。

这时候可能会有一些管理用的程序无法正常工作,因为这些管理用程序无法找到他们需要访问的那些文件,只要找到这些应用程序需要调用的文件(比如日志文件)的位置,然后制造一个soft link就可以了,通常这些管理程序都可以继续正常运行。

到此为止,一个针对应用程序的jail构造完成。

第二类,构造受控制的主机

在这种情况下面,我们首先需要构造一个当前版本操作系统的完整镜像(下面这个脚本是从FreeBSD 4.6r的man page里面来的,实际上4.5以及之前的man page在构造jail目录树脚本上面都有一定的问题,4.6才纠正过来):



tester# cat >>/root/mkjail.sh

jailhome=/data/jail

cd /usr/src

mkdir -p $jailhome

make world DESTDIR=$jailhome

cd etc

make distribution DESTDIR=$jailhome -DNO_MAKEDEV_RUN

cd $jailhome/dev

sh MAKEDEV jail

cd $jailhome

ln -sf dev/null kernel

^D

tester# sh /root/mkjail.sh



最后在/data/jail下面获得一个完整的根据当前源码树编译得来的jail目录树。

接下来:



/*

tester# mkdir $jailhome/stand

tester# cp /stand/sysinstall $jailhome/stand

tester# jail $jailhome jailed.system.box 192.168.0.123 /bin/csh

(这时候就获得了一个jail下面的shell)

jailed# /stand/sysinstall

*/



通过sysinstall这个程序可以对jail系统的常用变量进行设置,比如时区,DNS,Mail。还有jail系统在“启动”的时候需要执行的程序。

如果你足够熟悉这个系统,可以考虑自己手工一个个的做过来。

复制/etc/localtime 到 $jailhome/etc,使jail环境下的应用程序可以得到正确的时间;

复制/etc/resolv.conf 到 $jailhome/etc/resolv.conf 使jail下面可以正确解释域名;

在jail里面运行newaliases 避免sendmail的不断抱怨;

如果打算运行inetd,需要修改inetd的启动参数,加上 -a $LISTEN_ADDR 选项(因为jail无法自己获得当前系统的ip地址,所以必须提供一个ip地址给它)在rc.conf里面看起来应该是这样:



inetd_flags="-wW -a 192.168.0.123"



将系统本身的syslogd 运行加上 -ss 选项,避免这个syslog启动监听端口;修改/etc/rc.conf 加上 syslogd_flags="-ss" (对$jailhome/etc/rc.conf也如法炮制)

在jail内创建一个空的/etc/fstab,在rc.conf里面去掉网卡地址的绑定,这样在jail系统在启动的时候不会抱怨。

为了实际运行这个jail系统,还需要为jail提供一个可以连接的IP地址,这个地址可以与实际环境同一个子网,也可以处于另外一个子网中。



tester# ifconfig fxp0 192.168.0.123 netmask 0xffffffff alias



(这里为网卡fxp0绑定了一个别名,准备提供服务。)

所有这些东西都执行完了以后,可以有几个方法把jail系统启动起来,一个是在jail外面运行



tester# jail $jailhome jailed.system.box $jail_IP_ADDR /bin/sh $jailhome/etc/rc



一个是单纯把ssh/telnetd这样一些提供远程访问的服务在jail内启动起来:



tester# jail $jailhome jailed.system.box $jail_IP_ADDR /bin/sh $jailhome/bin/inetd -wW -a $jail_IP_ADDR



然后从外面登录系统,运行、配置jail系统环境,或者手工启动需要的应用服务。

如果打算运行一个用于生产环境的jail系统的话,推荐使用第一种方法,并且把启动jail的命令放到(实际环境的)/etc/rc.local脚本里面去,这样jail系统可以有比较完备,与实际机器相类似的环境。

这样一个jail系统就算构造完成并且可以正常运作,加上在实际环境里面定期的严格的备份,安全检查与审计,就可以得到一个很不错的安全系统。一般的scriptkids已经无法对你的系统构成实际威胁,即使是某些与黑帽子走得很近的人在漏洞公开之前得到实际的攻击脚本,并且进入你的系统,他也只能在jail里面活动,而且你可以知道他什么时候进入和离开系统,做了什么。这样你可以很轻松的恢复系统和防范下一次未知的攻击。

在jail系统的管理上面有几个问题需要注意:



1. jail里面的帐号、密码是跟实际系统不同的,但是在jail之外ps或者查看jail目录树内的文件时,那些jail内部的uid会被看成外部的uid,因此最好把jail里面的/etc/adduser.conf进行修改,把他们的uid起始号码放大,比如:uid_start="5000",这样当你在jail外部进行文件、进程管理的时候不至于误会文件或者进程的宿主。

2. jail内的任何活动,其能力都受到了限制。比如top/vmstat这样的东西都不能使用,mknod,dd等等这样需要访问直接硬件的东西也无法工作。所以在jail内监控系统运行状态也比较难。

3. 当想要远程关闭jail系统的时候,可以有两种方法,一是进入jail之后kill -TERM -1 或者 kill -KILL -1 ,这样向所有该jail内的进程发送SIGTERM或者SIGKILL信号,也可以在jail里面运行/etc/rc.shutdown来关闭jail。如果是本地想要关闭jail倒是简单,只要把所有带有J标记的进程干掉就可以了。

4. 一个系统可以运行多个jail,各个jail之间无法互相干涉,如果在jail外面使用



tester# jail $jailhome jailed.system.box $jail_IP_ADDR /path/to/application



这种方式运行某个应用程序,下一次试图通过运行



tester# jail $jailhome jailed.system.box $jail_IP_ADDR /bin/csh



这种方式获得的jail过的shell来管理该应用程序将会失败。因为这时是两个各自独立的jail,互相不能干涉。为了能对jail系统内进程灵活地进行管理,推荐在jail里面除开应用软件之外,再启动telnetd或者sshd之类的服务,这些服务此时与应用程序运行在同一个jail里面,就可以通过远程登入系统后获得与那些应用程序在同一个jail内的shell。

5. jail系统内的所有应用软件版本号应该与外部实际系统保持一致。当外部系统的源码同步到某个版本并且重新做过make world之后,推荐也重新生成一次jail,以避免某些可能的莫名其妙的错误。

6. 另外有一个做法不知道是否正确,在jail里面每次使用ps的时候,系统都会报告没有/var/run/dev.db文件,让人感觉很不舒服,复制实际系统的/var/run/dev.db 到 $jailhome/var/run/ ,就不会再碰到这个问题。





参考:

jail(Cool

man 8 jail



第一次发布于www.freebsdchina.org,

本文可以自由转载于网上非商业媒体。转载时请勿删节,如果有错漏需要更正,更正同时请发信通知原作者。

_________________
中华人民共和国宪法 第三十五条 中华人民共和国公民有言论、出版、集会、结社、游行、示威的自由。

He said, 'We haven't had that spirit here since nineteen eighty nine'
返回页首
阅览会员资料 发送站内信件 浏览发表者的主页 MSN Messenger
muyishui
半仙


注册时间: 2004-11-11
文章: 58

文章发表于: Thu 2006-07-13 01:26:39    发表主题: Securing FreeBSD using Jail(找不到合适的地方放) 引用并回复

Securing FreeBSD Using Jail

Securing FreeBSD Using Jail

Evan Sarmiento

Editor's note: This article discusses a project that gives root access to anyone who wants it. The OpenRoot project operates in a virtual machine and uses FreeBSD's Jail feature. This author's implementation of OpenRoot is intended for training and experimentation purposes only. The practice of giving out root to all comers (with or without a Jail) is too risky for most environments, however, this article provides useful information.

I started a project called Openroot, where I give root access to anyone on a box on my network. In this environment, users, mostly students like me, can learn, experiment, install software like Apache and Sendmail, or tinker around with configuration files to see how they work. However, this project was mostly intended to help me learn, in-depth, about UNIX security procedures. I've taken many precautions, which can not only help you secure a UNIX system like this one, but may also help secure general-purpose UNIX systems. Primarily, I used a feature present in FreeBSD from versions 4.0 and onward called Jail.

Essentially, Jail creates a process tree exclusively for itself. Processes inside the Jail cannot affect processes outside. Thus, by recreating the base system files inside a Jail, it acts like an independent computer (see Figure 1).

A Jailed environment, of course, has some restrictions. For example, users inside a Jail cannot kill processes outside or harm the actual computer; users inside a Jail cannot mount filesystems or delete partitions using fdisk. Most importantly, users cannot use system calls that could enable them to break out of the Jail. Therefore, Jail was a godsend for my Openroot project. If someone typed "rm -rf /", it could ruin the experience for everyone, because all Openroot users use the same Jail. But an auto-restore script running on the host computer restores the Jail every hour. In this article, "$D" will always stand for the Jail's directory and "$IF" for interface name, and so on.

Preparation

Openroot runs on a Pentium 75 with 48 MB of RAM and a 6-GB hard drive. I think these are the minimum requirements necessary to run a server like this one. I chose to use FreeBSD 5.0-CURRENT on Openroot for no reason other than that I was curious about the current release. You can download FreeBSD 5.0 ISOs from:


ftp://current.jp.freebsd.org/pub ... ts/i386/ISO-IMAGES/

If you plan to implement a Jailed system in a company, I recommend installing a stable version of FreeBSD, such as 4.2.
Once FreeBSD is installed, you extract the system sources from the CD as follows:


1. Run /stand/sysinstall.

2. Enter the configure menu.

3. Enter the distributions menu.

4. Move down to src and press the space bar.

5. Move to All, and press the spacebar.

6. Press ok until you get to the menu that asks you where the sources are located. Choose the one appropriate for you, and wait until it extracts all the sources. It may take a while.

Installing the Jail

Setting up the Jail is probably one of the easiest parts. All it requires is lots of patience. There is much to compile and configure. The following steps recreate the whole operating environment inside the Jail. If you're experiencing any trouble with this procedure, another good resource for Jail information is its own man page.


1. Create a directory where you want the Jail to reside. For example, Openroot resides in /usr/openroot. A good tip is to make a quota for your Jailed directory. In Openroot, this was indeed important. If you do not have this restriction, a malicious user could spawn multiple processes that execute the command cat /dev/urandom > haha.$$. After a while, this could overflow the partition on which the Jail resides, which is not good for the host computer. If a quota is installed, this could be avoided. If you're unfamilar with quotas, read the man page and related documents on quota.

2. D = /usr/openroot -- Assigning the variable "D" to point to the directory where you want the Jail to be held becomes very convenient when typing in further commands.

3. cd /usr/src

4. make hierarchy DESTDIR=$D -- This command creates the usual filesystem structure in the directory you specified.

5. make obj

6. make depend

7. make all -- This command compiles all of the sources. Grab a jolt and watch The Matrix.

8. make install DESTDIR=$D -- After make all is completed, this command installs all the compiled binaries in the destination directory.

9. cd etc

10. make distribution DESTDIR=$D NO_MAKEDEV=yes -- This sets up the configuration files in the etc directory of where your Jail is located.

11. cd $D/dev

12. sh MAKEDEV jail -- This command makes all the devices specific to a Jailed environment.

13. cd $D

14. ln -sf dev/null kernel -- However suprising, this is the command you have to type. The Jail does not have a separate kernel; it shares the one on the host system.

Configuring the Jailed Environment

There are few configuration files that must be edited to tailor the Jail to your needs. For example, you must edit /etc/rc.conf and specify that inetd as listen only on the host's IP address, not the Jail's. This is important mainly because you do not want untrusted Jailed users trying to root your other boxen. For example, if I were careless and ran sshd on all IP addresses, a Jailed user could type "ssh -l root localhost", and instead of getting a login prompt that would lead to the Jail, it would lead to the host computer. Again, remember to specify the IP address on which you want your services on the host computer to listen.


sendmail_enable="NO"
inetd_flags="-wW -a $IP_ADDRESS"
portmap_enable="NO"
syslogd_flags="-ss"

There are a few other servers that have this problem, such as sshd, nfsd, named, sendmail, syslogd, and portmap. However, it's easier and safer to keep the fewest possible services running on the host environment.
To configure the Jail, you need to use sysinstall. Copy sysinstall to the Jailed directory:


1. mkdir $D/stand/

2. cp /stand/sysinstall $D/openroot/stand


Now, start the Jail.


jail $D <hostname of jail> <ip address of jail> /bin/sh

You should reach a shell prompt, and you are inside the Jail. Run /stand/sysinstall and configure the Jail. Remember, you do not have to configure the interface. You may want to install some packages; do so now.
Starting the Jail for the First Time

Jail assigns itself the ip address you specify using the jail command. In order for the Jail to correctly assign itself that IP address, you must first create an alias for that ip address on the host machine. For example, I want the Jail to run on 169.69.7.2. This is what I would do:


1. ifconfig <interface> alias 169.69.7.2 netmask 255.255.255.0

2. When you type ifconfig, you should see two IP addresses for that interface -- the one you assigned to it when you installed FreeBSD, and the alias you added to the interface.

3. Start the Jail:


Jail $D <hostname> <ip address> /bin/sh /etc/rc.

4. You should see startup messages flow by; most of the errors are not important. To test the Jail's operation, I edited inetd.conf inside the Jail, and uncommented telnetd. I ran this command and, from the host machine, telnetted into the Jailed environment. If everything worked, you should be presented with the usual telnet login screen.
Shut Down the Jail

Shut down, reboot, and halt will not work within a Jail. To shut down the Jail, you must use the commands kill -KILL -1, or kill -TERM -1.

Jail Security, in the Case of Openroot

There are many scriptkiddies out there in the world just wanting to ruin your day. These scriptkiddies love Openroot, and because of them, Openroot could be down for hours. Jail does not provide enough security on its own; there needs to be a little more. Here is how I fixed most of the problems posed by scriptkiddies.

I wrote a small shell script that restores Openroot every hour with a clean base system. There are two ways you could approach this -- by using cron, or by using the sleep shell script function. I chose to use the sleep approach. On my system, cron was acting up, and it was very rare that it would actually execute the script on time.

Auto-Restore Script: Shell Method

1. cd $D

2. tar cvf ../backup.tar *

3. echo System is going down for restore in five minutes > $D/etc/restore.msg

4. vi ~/restore


#!/bin/bash
while [1]; do
sleep 3600
# dont not do anything for one hour
jail /usr/openroot openroot 169.69.7.2 /usr/bin/wall < \
/etc/restore.msg
sleep 300

ifconfig $IF -alias
# Because there is no good way to shut down a Jail externally, I
# need to use this crude method to get users off.
Killall -9 inetd
# If I do not do this, the proc table could fill up. Everytime a
# Jail is launched, it starts its own inetd process.
Killall -9 cron
# Same as above, although if you are using cron for the
# auto-backup script, there is a more involved killall you can
# use. The J stands for a jailed process.
( ps aux | grep cron | grep sJ | awk '{print $2}' > /tmp/cron.proc
kill -9 < /tmp/cron.proc )
tar xvf /usr/backup.tar.gz -C $D
ifconfig $IF alias 169.69.7.2 netmask 255.255.255.0
# bring the interface back up
jail /usr/openroot openroot 169.69.7.2 /bin/sh /etc/rc
# This starts all the services
done
返回页首
阅览会员资料 发送站内信件 发送电子邮件
从以前的文章开始显示:   
发表新文章   这个论题已经被锁定,您不能发表、回复或者编辑文章。    FreeBSD China -> 中文-桌面-开发-调试 论坛时间为 北京时间
1页/共1

 
转跳到:  
不能发布新主题
不能在这个论坛回复主题
不能在这个论坛编辑自己的文章
不能在这个论坛删除自己的文章
不能在这个论坛发表投票


Powered by phpBB 2023cc © 2003 Opensource Steps; © 2003-2009 The FreeBSD Simplified Chinese Project
Powered by phpBB © 2001, 2005 phpBB Group
Protected by Project Honey Pot and phpBB.cc
silvery-trainer
The FreeBSD China Project 网站: 中文计划网站 社区网站
The FreeBSD China Project 版权所有 (C) 1999 - 2003 网页设计版权 著作权和商标