Linux File System Security by: Teck7 Note: This document has been tested on Turbo Linux 7.0 (kernel 2.4.5-4), RedHat 7.2 (kernel 2.4.9-13), and RedHat 7.0 (kernel 2.2.19). Also, it would be wise to backup /etc/fstab. Maintaining and auditing the security of local file systems on both linux servers and linux workstations, can be a timely task and one that must be done over and over. The proper control and restrictions on key system partitions can help eliminate problems with both security and resource consumption. You can have more control on mounting a file system like /home and /tmp partitions with some nifty options like noexec, and nosuid. This can be setup in the /etc/fstab config file. The fstab file contains descriptive information about the various file systems you have setup, and there mount options; each line addresses one file system. Some key options regarding the security of file systems, in the fstab config file are: defaults: Allow everything quota, read-write, and suid on this partition. noquota: Do not set users quotas on this partition. nosuid: Do not set SUID/SGID access on this partition. nodev: Do not set character or special devices access on this partition. noexec: Do not set execution of any binaries on this partition. noauto: Can only be mounted explicitly (i.e., the -a option will not mount the file system). usrquota: Allow user quotas on this partition. user: Allows an ordinary user to mount the given file system. nouser: Forbid an ordinary (i.e, non-root) user to mount the given file system. ro: Allow read-only on this partition. rw: Allow read-write on this partition. suid: Allow SUID/SGID access on this partition. For more information on options that you can set in this file fstab, see the man pages about mount(8). In most situations we would want to edit the default mount options for /tmp, /var/tmp, /home and any Windows partitions we may have. Edit the fstab file depending on your needs, For example the below is a portion of my /etc/fstab file before and after editing: [Before] # vi /etc/fstab /dev/hda4 /var/tmp ext2 defaults 1 2 /dev/hda5 /tmp ext2 defaults 1 2 /dev/hdd2 /home ext2 defaults 1 2 /dev/hda1 /win_c auto defaults 1 0 [After] # vi /etc/fstab /dev/hda4 /var/tmp ext2 defaults,rw,nosuid,noexec 1 2 /dev/hda5 /tmp ext2 defaults,rw,nosuid,noexec 1 2 /dev/hdd2 /home ext2 defaults,rw,nosuid,usrquota 1 2 /dev/hda1 /win_c auto defaults,rw,nosuid,noexec 1 0 Although the defaults mount option provides rw , with older linux distributions this was not the case. Editing of the default mount options would omit all other defaults thus removing rw access from a mount point. So its just basicly good habit as to avoid problems, to just include the rw option when you edit mount options. In the above, I added the nosuid, and noexec options to both /var/tmp and /tmp -- since both locations are commonly used for the storage of temporary files, there is usually no need for files on those partitions to be executed nor have the suid bit set. With /home, i added the nosuid and usrquota options. The nosuid option is in place to keep users from exploiting suid files on /home (potentially in other user accounts). And the usrquota is in place so we can make use of the linux quota system and control disk space resources on a per-user basis. On /win_c (our fat32 partition), i added the nosuid and noexec options for one sole reason, I only mount my windows partitions in linux so i can access common files such as documents. Thus there is no valid reason for file to have the suid bit enabled on my fat32 partition nor be executable (Not sure but i dont even think suids can be placed on fat32 partitions - nonetheless better safe than sorry). Once you have made the necessary adjustments to the /etc/fstab file, it is time to make the Linux system aware about the modification. This can be done with the mount command using the -o remount option, like below: # mount -oremount /home # mount -oremount /tmp # mount -oremount /var/tmp # mount -oremount /win_c Each file system that has been modified must be remounted as shown above. In our example we have modified the /home, /tmp, /var/tmp, and /win_c file systems and it is for this reason that we must remount each file system respectively. Alternatively, a reboot of the system will bring changes into effect but if /etc/fstab contains errors, you may not be able to restart the system properly. Now that user quotas are enabled on our /home file system, we want to build the quota database for the system. To do this we use the quotacheck program: # quotacheck -auvg If you have an extensive amount of users and files on /home , this command can take sometime to run and will also alert you to inode problems on /home. Now we turn on quotas, on a user-space level so the system can start using the quota information. To do this we use the quotaon command (Alternatively, quotas can be turned off with the quotaoff command), like so: # quotaon /home To edit a given users quota information we use the edquota command like so: # edquota natwizz Disk quotas for user natwizz (uid 583): Filesystem blocks soft hard inodes soft hard /dev/hdd2 3233 45000 50000 378 0 0 The above shows us our file system witch has quotas enabled (/dev/hdd2 - /home), space in-use by current user (Blocks - represent Kb), Soft/Hard limit for disk space quota, inodes in-use, and Soft/Hard limit for inodes. The Soft and Hard limit concepts are fairly simple, the soft limit is an intended resource limit for a given user (e.g 40mb - aprox. 40000Kb). The hard limit is a grace that you allow the user to surpass to (e.g: 5MB grace - aprox. 5000Kb). The hard limit is intended as a stop point - between a users soft limit and there grace. Grace resources for a user will only last 7 days by default. To check up on the status of quotas on your system, we can use the repquota command, like so: # repquota -a The above will output quota information on all system users. It is pretty much self explanatory (i hope). Well that concludes this document, i hope it has helped someone out there and if you have any comments, questions or rants feel free to email me at: ryan@r-fx.net