Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
*
HanIRCÀÇ #coffeenix ¹æ
[
Àåºñ ¹× ȸ¼± ÈÄ¿ø
]
> Forum <
IT ÀÏÁ¤
N
e
w
!
ÀÚµ¿È ÇÁ·ÎÁ§Æ®
HOME
>
³×Æ®¿öÅ©(network)
>
À¥ ¼¹ö(web, httpd, apache)
µµ¿ò¸»
°Ë»ö :
»çÀÌÆ®
WHOIS
À¥¼¹ö Á¾·ù
WebDAV
(7, ±Û 1, ÀÚ·á 4)
À¥¼¹ö Æ©´×
(5, ±Û 4, ÀÚ·á 2)
À¥¼¹ö »ç¿ë Åë°è ÀÚ·á
(2, ÀÚ·á 1)
Apache SSL / mod_ssl
(4, ±Û 3, ÀÚ·á 2)
ApacheÀÇ chroot¿î¿µ ¹× Jail System
ÀÛ¼ºÀÏ : 2003/08/30 20:58
±Û¾´ÀÌ : EcusE (
http://free4u.dnip.net
)
Á¶È¸¼ö : 5970
[
ÀÌÀüȸé
/
¼öÁ¤
] ºñ¹Ð¹øÈ£ :
1.¼Ò°³
¾ÆÆÄÄ¡¸¦ chrootÇÏ¿¡ ¿î¿µÇÏ´Â ¹æ¹ýÀº ¸î°¡Áö°¡ ÀÖÁö¸¸ ¿©±â¿¡¼±
¾ÆÆÄÄ¡ ¼Ò½º¿¡ ÆÐÄ¡¸¦ Çؼ chroot¸¦ Àû¿ëÇÏ´Â ¹æ¹ý¿¡´ëÇØ ±â¼úÇÏ°íÀÖ´Ù.
*nix¿¡¼ ¿î¿µµÇ´Â °¢Á¾ µ¥¸óµé(ftpd, named, etc)ÀÌ chroot¸¦Àû¿ëÇØ
¿î¿µµÇ´Â Ãß¼¼·Î º¸ÀδÙ.
À¥¼¹öÀÇ º¸¾È Ãë¾àÁ¡°ú chroot¿¡ °üÇÑ°ÍÀº plusÀÇ ¹®¼¸¦ Âü°íÇϱâ¹Ù¶õ´Ù.
http://www.plus.or.kr/book/SecurityPLUS-2nd/node10.html
´Ù¸¥¹æ¹ýÀ¸·Î chroot¸¦ Àû¿ëÇÏ´Â ¹æ¹ýÀº ¾Æ·¡¸µÅ©¸¦ Âü°íÇϱ⠹ٶõ´Ù.
http://www.linuxfocus.org/English/January2002/article225.shtml
http://www.networkdweebs.com/chroot.html
½Ã½ºÅÛÀ» chroot»óÅ·Π¿î¿µÇÏ´Â jailÇÁ·ÎÁ§Æ®¿Í apache¸¦ chrootÀû¿ë½ÃÄÑ
°°ÀÌ ¿î¿µÇÑ´Ù¸é Á»´õ ¾ÈÀüÇÑ ¼¹ö¿î¿µÀÌ µÉ°ÍÀ¸·Î »ý°¢µÈ´Ù.
jail project
http://free4u.dnip.net/weblog/stories.php?story=01/10/24/5067801
2.ÆÐÄ¡ÆÄÀÏ ´Ù¿î·Îµå
ÆÐÄ¡´Ù¿î·Îµå »çÀÌÆ® -
http://home.iae.nl/users/devet/apache/chroot/
À§»çÀÌÆ®ÀÇ ÆÐÄ¡´Â apache-1.3.26¹öÀü¿ëÀÌÁö¸¸ ¹öÀü¿¡ »ó°ü¾øÀÌ(1.3.x´ë)
ÆÐÄ¡°¡ Àû¿ëµÇ´Â ÆÐÄ¡ÆÄÀϵµ ÀÖÀ¸´Ï ±×°ÍÀ» ¹Þ±â¹Ù¶õ´Ù.
apache-1.3.26¿ë ÆÐÄ¡
http://home.iae.nl/users/devet/apache/chroot/apache_1.3.26.chroot.patch
(À§ÀÇ °æ·Î¿¡¼ ¹Þ±â°¡ Èûµé´Ù¸é ¾Æ·¡°æ·Î¿¡¼ ¹ÞÀ» ¼ö ÀÖ´Ù.)
http://free4u.dnip.net/docs/apache/apache_1.3.26.chroot.patch
±âŸ ¹öÀü¿ë ÆÐÄ¡
http://home.iae.nl/users/devet/apache/chroot/patch-zz
(À§ÀÇ °æ·Î¿¡¼ ¹Þ±â°¡ Èûµé´Ù¸é ¾Æ·¡°æ·Î¿¡¼ ¹ÞÀ» ¼ö ÀÖ´Ù.)
http://free4u.dnip.net/docs/apache/patch-zz
3.¼³Ä¡
ÀÏ´Ü apache, phpÀÇ ¼Ò½º¸¦ Àû´çÇÑ µð·ºÅ丮¿¡ Ç®¾î³õ´Â´Ù
¿©±â¿¡¼± /www¸¦ ¿¹·Îµé°Ú´Ù.
#pwd
/www/src
phpinfoµî¿¡¼ ¾ÆÆÄÄ¡ ¹öÀüµîÀ» ¼û±â·Á¸éapache¼Ò½ºµð·ºÅ丮ÀÇ À̸§À»
º¯°æÇϸéµÈ´Ù.(ex httpd, webserver)
±×¸®°í apacheµ¥¸ó ÀÚüÀÇ À̸§°ú ¹öÀüµîÀ» ¼û±â°Å³ª º¯Á¶ÇÏ·Á¸é
¾Æ·¡¸µÅ©¸¦ Âü°íÇ϶ó.
http://free4u.dnip.net/weblog/stories.php?story=01/08/08/6470343
ÇÊ¿ä¿¡ µû¶ó¼ phpÀÇ ¹öÀüµµ ¼û±â°Å³ª º¯Á¶ÇÒ¼öÀÖ´Ù.
/www/src/php/main/php_version.h¿¾î¼ Àû´çÈ÷ ¼öÁ¤ÇϸéµÈ´Ù.
ÀÌÁ¦ apache¼Ò½º¿¡ ÆÐÄ¡¸¦ ÇÑ´Ù.
/www/src/apacheµð·ºÅ丮¿¡ patch-zz¸¦ ¿Å°Ü³õ°í(1.3.26¿ëµµ °°´Ù)
patch -p0 < patch-zz ¸í·ÉÀ¸·Î ÆÐÄ¡¸¦ ÇÑµÚ ¿¡·¯(rejectµî)°¡ ³ª´ÂÁö È®ÀÎÇÑ´Ù.
¸î¸î hunk°¡ ³ª´Âµ¥ º°¹®Á¦´Â ¾ø´Ù.
¿©±â¼ºÎÅÍ´Â ÀϹÝÀûÀÎ apache, php, mysqlÀÇ ¼Ò½ºÄÄÆÄÀÏ ÀÛ¾÷°ú °°ÀÌ
¼³Ä¡ÀÛ¾÷À» ÇÏ¸é µÈ´Ù.
3°¡Áö ¸ðµÎ ¼³Ä¡°¡ ³¡³µÀ¸¸é apache configure½Ã prefix·Î ÁöÁ¤ÇÑ
µð·ºÅ丮ÀÇ conf/httpd.confÆÄÀÏÀ» ¿¾î¼ ¾Æ·¡¿Í °°Àº ¼³Á¤ÀÌ ÀÖ´ÂÁö
È®ÀÎÇÑ´Ù.
4. ȯ°æ¼³Á¤
#file httpd.conf
# ChrootDir: The directory to chroot to
#
# NOTE: When using this all directory/file references in DocumentRoot,
#
and
should be relative to this ChrootDir!
#
#ChrootDir "/some/path"
À§ÀÇ ¼³Á¤¿¡¼ ÁÖ¼®À» Ç®°í (¿©±â¿¡¼± /www/¸¦ chrootµð·ºÅ丮·Î ¿¹¸¦µç´Ù)
ChrootDir "/www"
ServerRoot "/www/httpd" ·Î ¼³Á¤À» Çß´Ù¸é apache°¡ ÀνÄÇÏ´Â ½Ã½ºÅÛ "/"´Â
"/www"·Î ´ëüµÈ´Ù. ¶ÇÇÑ ServerRoot¿ª½Ã /www/httpd·Î ¼³Á¤
DocumentRoot "/www/httpd/htdocs"¿Í °°ÀÌ /chroot_fir/serverroot_dir/htdocs
ÀÇ°æ·Î·Î ÀνÄÇÏ°Ô ¼³Á¤ÀÌ µÈ´Ù.
´ç¿¬È÷ html¹®¼ÀÇ ¸µÅ©µîÀº ½Ã½ºÅÛ·çÆ®·Î ¼³Á¤ÇÏ¸é ¾ÈµÈ´Ù. chrootµð·ºÅ丮ÀÎ
/www¸¦ ¹þ¾î³¯¼ö°¡ ¾ø±â¶§¹®ÀÌ´Ù.
¸ðµç html,phpµîÀÇ ¸µÅ©, includeµîÀº chroot_dirÀÎ /www/httpd/htdocsÀÌÇϸ¸
Á¤»óÀûÀ¸·Î µ¿ÀÛÇϰԵȴÙ.
#php.ini¼³Á¤
php.ini¿¡ zendoptimizer,phpaµîÀ» ¼³Ä¡ÇØ»ç¿ëÇß¾ú´Ù¸é
/www/libµîÀÇ µð·ºÅ丮¸¦ ¸¸µé°í php.ini¿¡¼ °æ·Î¸¦ ¼öÁ¤ÇÏ¸é µ¿ÀÛÇÒ°ÍÀÌ´Ù.
php¿ª½Ã apacheÀÇmodule·Î µ¿ÀÛÀ» ÇÏ°ÔµÇ¾î¼ ½Ã½ºÅÛ "/"¿¡´Â Á¢±ÙÇÒ¼ö°¡ ¾ø°í
"/www"¸¦ ½Ã½ºÅÛ "/"·Î ÀνÄÇϰԵȴÙ.
¾Æ·¡ZendOptimizer¼³Á¤¿¡¼ "/Zend" ´Â /www/Zend°¡ µÉ°ÍÀÌ´Ù.
zend_extension=/Zend/lib/ZendOptimizer.so
±âÁ¸¿¡ jail½Ã½ºÅÛÀ» ¼³Ä¡Çؼ ¿î¿µÇß´Ù¸é
jail¼³Ä¡½Ã ¼³Á¤ÇÑ chrootµð·ºÅ丮¿Í chrootÆÐÄ¡µÈapacheÀÇ ½Ã½ºÅÛ·çÆ®¸¦
°°°Ô ¼³Á¤ÇÑ´Ù¸é À¯Àú¿Í À¥¼¹ö ¸ðµÎ chrootµÈ »óÅ·ΠÁ»´õ ¾ÈÀüÇÑ
½Ã½ºÅÛ ¿î¿µÀÌ °¡´ÉÇÒ°ÍÀÌ´Ù.
±âÁ¸ jail½Ã½ºÅÛ°ú apache, php, mysqlÀ» ÅëÇտ½Ã
mysqldÀÇ sockÆÄÀÏÀÇ À§Ä¡°¡ Áß¿äÇѵ¥ ÀÏ´Ü ¾ÆÆÄÄ¡°¡ Á¢±Ù°¡´ÉÇÑ°÷¿¡
¼ÒÄÏÆÄÀÏÀÌ À§Ä¡ÇؾßÇÑ´Ù.
apacheÀÇ chrootµð·ºÅ丮ÀÎ /www/tmpµîÀÌ Àû´çÇÏ´Ù.
±âÁ¸¿¡ »ç¿ëÇÏ´ø my.cnfÆÄÀÏÀ» /www/etc/¿¡ Ä«ÇÇÈÄ ±âÁ¸ÀÇ mysqldÀÇ starting
script¸¦ ¿¾î ±âÁ¸°æ·ÎÀÇ °ÍÀ» /www/mysql·Î ¼öÁ¤ÈÄ ½ÇÇàÇÏ°í
mysqlµ¥¸óÀÌ ½ÇÇàµÇÁö ¸øÇÏ°í Áװųª ÇÑ´Ù¸é /www/mysql/data/*.logÆÄÀϵîÀ»
È®ÀÎÇؼ ¹®Á¦¸¦ ÇØ°áÇؾßÇÏ°Ú´Ù.
/www/etc/my.cnf¿¹Á¦´Â ¾Æ·¡¸¦ Âü°íÇ϶ó.
###########################################################
[client]
password =
port = 3306 #ÇÊ¿ä¿¡ ÀÇÇØ Æ÷Æ®´Â º¯°æÇÒ¼öÀÖ´Ù.
socket = /www/var/lock/mysql.sock
[mysqld]
password =
port = 3306
socket = /www/var/lock/mysql.sock
##########################################################
±×¸®°í ±âÁ¸ÀÇ À¥º¸µåµîµµ ¼³Á¤ÆÄÀÏ¿¡¼ mysql.sockÆÄÀÏÀÇ À§Ä¡¸¦ ¼öÁ¤Çؾß
mysql db¸¦ »ç¿ëÇÒ¼ö ÀÖÀ»°ÍÀÌ´Ù.
À§ÀÇ ¼³Á¤¿¡¼ °¢ À¥º¸µåÀÇ ¼ÒÄÏÀ§Ä¡ °æ·Î´Â
:/www/var/lock/mysql.sockÀÌ µÉ°ÍÀÌ´Ù.
----------------------------------------------------------
¿©±âºÎÅÍ´Â jail½Ã½ºÅÛÀ» ¿î¿µÇÏ¸é¼ chrootµÈ apache¿Í °°ÀÌ ¿î¿µÇÒ¶§ÀÇ
¼³Á¤À» ¾ê±âÇÏ°Ú´Ù.
À¥º¸µå(jsboard, zeroboard, etc) ȤÀº phpÀÇ mail()ÇÔ¼ö »ç¿ë½Ã ¸ÞÀÏÀÌ
Á¤»óÀûÀ¸·Î º¸³»ÁöÁö ¾Ê´Â´Ù.
php°¡ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÈ sendmailÀ» ÀÚµ¿À¸·Î ¼³Á¤Çؼ sendmailÀ» ½ÇÇàÇϴµ¥
½Ã½ºÅÛÀÇ sendmailÀ§Ä¡´Â /usr/sbinÀ̱⶧¹®¿¡ /www/usr/sbinµð·ºÅ丮¸¦ ¸¸µé°í
sendmailÀÌ Á¤»ó½ÇÇà°¡´ÉÇϵµ·Ï sendmail, ¶óÀ̺귯¸®¿Í ¼³Á¤ÆÄÀϵéÀ» Ä«ÇÇÇؾßÇÑ´Ù.
ldd /usr/sbin/sendmail ¸í·ÉÀ¸·Î sendmail½ÇÇàÆÄÀÏÀÌ ÂüÁ¶ÇÏ´Â
°øÀ¯ ¶óÀ̺귯¸®¸¦Ã£´Â´Ù.
´ÙÀ½°ú ºñ½ÁÇÑ ¸Þ¼¼Áö¸¦ º¸¿©ÁÙ°ÍÀÌ´Ù.
[root@free4u:/]#ldd /usr/sbin/sendmail
libnsl.so.1 => /lib/libnsl.so.1 (0x40020000)
libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40036000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40040000)
libdb-3.1.so => /lib/libdb-3.1.so (0x40046000)
libresolv.so.2 => /lib/libresolv.so.2 (0x400bf000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x400d1000)
libdl.so.2 => /lib/libdl.so.2 (0x400ff000)
libc.so.6 => /lib/i686/libc.so.6 (0x40103000)
libpam.so.0 => /lib/libpam.so.0 (0x4023f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ÀÌÁ¦ /wwwµð·ºÅ丮¾Æ·¡¿¡ ¿ø·¡ÀÇ ½Ã½ºÅÛ°ú °°ÀÌ /etc, /lib, /usr, /usr/bin,
/usr/sbinµîÀÇ µð·ºÅ丮¸¦ ¸¸µç´Ù(jail½Ã½ºÅÛÀ» ¼³Ä¡Çß´Ù¸é ÀÌ¹Ì ¸¸µé¾îÁ®
ÀÖÀ»°ÍÀÌ´Ù.¹°·Ð jail½Ã½ºÅÛ ¿î¿µ¿¡ ÇÊ¿äÇÑ ÆÄÀϵ鵵 Ä«ÇÇ°¡ µÇ¾îÀÖÀ»°ÍÀÌ´Ù.)
Â÷·Ê´ë·Î ¿ø·¡ÀÇ ½Ã½ºÅÛ °æ·Î¿Í °°ÀÌ /www/lib/, /www/usr/libµî¿¡ ¶óÀ̺귯¸®¸¦
Ä«ÇÇÇÑ´Ù.
¶óÀ̺귯¸®Ä«ÇÇ°¡ ³¡³µ´Ù¸é sendmailÀÌ Á¤»óÀûÀ¸·Î ½ÇÇàµÉ¼öÀÖµµ·Ï
sendmailÀÌ ÂüÁ¶ÇÏ´Â /etc/mail µð·ºÅ丮¸¦ /www/etc/mailµð·ºÅ丮·Î
Ä«ÇÇÇÑ´Ù.±×¸®°í /etc/passwd¿¡¼ mailÀ¯Àú¿¡ ÇØ´çÇÏ´Â Çʵ带 º¹»çÇؼ
/www/etc/passwd¿¡ Ãß°¡ÇÑ´Ù.
/www/var/spool/clientmqueue µð·ºÅ丮¸¦ ¸¸µé°í ¼ÒÀ¯±ÇÀ» root.mail±×·ìÀ¸·Î
º¯°æÇÑ´Ù
- clientmqueue¿Í mailµð·ºÅ丮 Æ۹̼ÇÀº 755ÀÌ»ó Áà¾ßÇÑ´Ù -
(ȤÀº ±âÁ¸ /var/spool/clientmqueueµð·ºÅ丮¸¦ º¹»çÇصµ µÈ´Ù.¹°·Ð
Æ۹̼ÇÀº À¯ÁöÇÑä·Î º¹»çÇؾßÇÑ´Ù)
¿ª½Ã °°Àº ¹æ¹ýÀ¸·Î /www/var/spool/mail µð·ºÅ丮¸¦ ¸¸µé°í ¼ÒÀ¯±ÇÀº
clientmqueue¿Í °°ÀÌ ¼³Á¤ÇÑ´Ù.
¶ÇÇÑ /etc/shadow¿¡¼µµ mailÀ¯Àú¿¡ ÇØ´çÇÏ´Â Çʵ带 /www/etc/shadow¿¡ Ãß°¡ÇÑ´Ù.
php.ini¿¡¼ snedmailÀÇ °æ·Î´Â ÁÖ¼®Ã³¸®µÈ ±âº»°ªÀ¸·Î »ç¿ëÇÑ´Ù.
¼³Á¤ÀÌ Á¤È®È÷ µÆ´Ù¸é chrootµÈ apacheÀÇ ¸ðµâÀÎ php¿¡¼ Æû¸ÞÀϵîÀ¸·Î
¸ÞÀÏÀ» º¸³Â´Ù¸é sendmailÀº /www/usr/sbin/sendmailÀÌ ½ÇÇàµÇ°í
½ÇÁ¦ ¸ÞÀϵ¥ÀÌŸ´Â /var/spool/mail/user_nameÀ¸·Î ÀúÀåµÉ°ÍÀÌ´Ù.
À¥¸ÞÀϵîÀÇ ÇÁ·Î±×·¥À¸·Î Á¤»óÀûÀ¸·Î ¸ÞÀÏÀÌ µµÂøÇÏ´ÂÁö È®ÀÎÇϴ°ÍÀ¸·Î sendmail
¼³Á¤ÀÌ ³¡³µ´Ù.
Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
[04/25]
±¹°¡
[04/24]
º¸Çè
[04/22]
Re: OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼ Heartbleed±îÁö
[04/21]
LET¡¯S START WITH ON
[04/21]
º¸Çè
[04/20]
Á¦ÁÖ
[04/20]
±¹³»
[04/19]
Á¦ÁÖ
[04/18]
??? ?????
[04/17]
???? onion ?????? -
[04/11]
±¹°¡
[04/10]
Stride Into Dream:
[03/20]
Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
[10/20]
Cross Compiler ±ò
[07/14]
SSL ¬¡¬°
N
e
w
! ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
QCad for Windows --- GNU GPL (Free Software)
The Hello World Collection
IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼¹ö°ü¸®
DNS ¼³Á¤ °Ë»ç
nagiosgraph ¼³Ä¡ ¹æ¹ý
Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
clusterssh
[ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]
¿î¿µÁø :
ÁÁÀºÁøÈ£(truefeel)
, ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
2003³â 8¿ù 4ÀÏ~