File System Security
Good security is like an onion, it has many layers. The file system is just another layer in the proverbial onion. While there are numerous file systems in existence, this guide tries to remain agnostic and focus more on the hierarchy itself rather then an individual implementation.
Partitioning is a key part of implementing security at the file system level.
- It limits the impact of disk failure
- It simplifies the process of creating backups
- It allows administrators to add restrictions such as quotas and read-only permissions more effectively
File System Hierarchy
To better understand how to divide the file system across partitions and apply various restrictions, we need to understand a little about the function of the file system hierarchy and its major directories. Systems based on GNU/Linux or FreeBSD, like Gentoo, borrow from the traditional Unix file system hierarchy. This hierarchy was designed in a time when many physical disks where needed to span the whole system. In modern times with larger storage mediums being common place, average users need not worry about partitioning and file system hierarchy too much. But on a server we need to have a finer grained control over the system and manipulate it to our will.
Some of the more common directories include:
/ Pronounced as "root", this is the top level of the hierarchy. All other file systems are mounted somewhere below this one.
/root Is the home directory of the root user. Typically email from daemons such as cron will be sent here.
/boot Typically holds bootloader and its configuration, as well as kernel binaries.
/etc On modern systems like GNU/Linux and FreeBSD this holds system wide configuration information.
/bin System binaries are located here. Tools like grep, ls, and tar.
/sbin Essential system binaries are located here; for example things to mount and create file systems. As well as the initialization daemon. Superuser privileged is required to use them.
/lib System libraries are located here. On most 64bit systems /lib is usually just a symlink and separate /lib32 and /lib64 directories will exist.
/dev Special device files are located here. This is one of the most important directories as its contents are how Unix-like systems interface with hardware from all but the lowest level, the drivers themselves.
/home This directory is where the typical home directory for system users go. It usually isn't a good idea to put network shares for user home directories here.
/opt Is a place for non-default software. A good generalization is that, if the software didn't come from Portage or another Gentoo maintained source, it should probably go here.
/tmp This is scrap space that is used per-session and is typically overwritten on a reboot.
/var This directory has been described as "multi-purpose" which is very accurate. It contains items ranging from system logs to PID files to spoolers, it even has its own temporary space.
/var/tmp As you might have guessed, this is the temporary space within /var. It deserves its own listing because Portage uses this as an area to unpack and build distfiles.
/usr This is often referred to as "a secondary hierarchy" because more then often it mirrors the root directory in its layout, only it is where user applications are stored rather then system applications.
/proc A virtual file system that allows users with privilege to monitor and modify kernel settings and configurations at run time.
So what has this to do with partitioning you ask? As was explained previously, the hierarchy was designed to involve multiple disks, partitions being logical disks, we can place some of these directories on their own file system and their own partition.
Its worth noting that: /etc, /bin, /sbin, /dev, and /lib MUST reside on the same partition as /
It is rather difficult to judge what size a partition should be. It takes a bit of experience but after thinking about the machine's intended purpose, one can usually get a pretty good idea of sizing needs. For example a computer used on a typical client machine would benefit from a large /home directory, while on a server /home should be considerably smaller.
On Unix-like systems mount points are typically defined in /etc/fstab.
This is an example of a recently created fstab on a home server, in the fourth column, mount options are listed.
The options we are currently focused on include:
Certain file systems like /usr and /boot have been mounted with ro or read-only permission (in contrast to rw, read-write). This makes adding software or running updates slightly more painful by requiring an extra couple reboots. But the occasional difficulty means that accidentally deleted files arn't really deleted and malicious software has a harder time living through a reboot. There are also certain files that need to be written to, for example /etc/resolv.conf. For these files you can move them to a separate directory with write access and then place a symlink in their place.
Mounting a file system with nosuid can also add more grief to an administrator's life. But this disables the suid and sgui bits so that sudo and su -c to not execute commands, a user must first login as the user with permission to execute or modify a file either directly or through su. This makes it more difficult for privilege escalation attacks to be successful.
Using nodev disables special device files on that file system. The kind commonly found under /dev. Really you don't want these kinds of files anywhere but /dev, they can let an attacker break out of a chroot jail and bypass other restrictions.
Noexec is a tricky option to enable. It disables executable permissions, and is great to place on directories like /tmp. However, extracting compressed files, for example distfiles, requires executable permissions. This is why, at least on Gentoo systems, /var/tmp should be placed on its own partition. Disabling executable permissions on /var is usually a good idea but without /var/tmp on a separate partition software installation under Gentoo would be hampered.
Nouser requires that root mount the file system. Specifying user means that any user can mount the system but it implies; noexec, nosuid, and nodev unless explicitly overridden. Some systems offer the users option which is similar to user but there is a corresponding users group which a user must first be a member of to mount the file system.
In the example above, noauto is passed to the /boot partition. Noauto means that the file system is not automatically mounted at boot time, conversely auto explicitly mounts file systems at boot time. It is desirable to mount /boot as noauto so that should something ever happen, for example a power outage, your boot partition is not uncleanly unmounted. So that when you go to boot, the kernel image is safe and any recovery tools such as a statically compiled busybox can be used to repair any damage.
Defaults will typically replace all of the following permissions with one word; rw, suid, dev, exec, auto, nouser, async
Arch Linux has a fairly in depth overview of fstab at their wiki: Arch Linux fstab wiki
What is chroot exactly?
Chroot comes as both a shell utility and a system call. What chroot does is quiet simple, it changes the way programs see the root file system. For example running this command:
will make /mnt/foo the new / within the shell process that ran the chroot command. Essentially chroot is a primitive sandbox that is quick and easy to set up.
Why would anyone want to do this to the file system?
Traditionally chrooting was used to run daemons out of as a security measure. Today this is looked down upon slightly, modern tools like Linux cgroups and FreeBSD jails, both offer more complete sandboxing and thus more security then the humble chroot.
But good old chroot is quick, easy to setup, and often has configure script support in some more popular daemons such as BIND and Apache. We can easily use chroot to provide a safe build environment. Chrooting into an extracted Stage3 tarball offers an easy to set up, strip down, and rebuild environment to build and test new technologies without risking the destruction of your current workstation.
File System Check
The second letter was originally different. -Dennis Ritche on fsck
Fsck is a utility that can be run on a file system that is corrupt. With modern journaled file systems, fsck is not only much quicker but typically has a higher success rate when recovering from corruption. There are quite a few options one could pass to the fsck command including some gotchas, so reading over the manual page is highly recommended. A basic fsck command might look like this:
This will run a consistency check on the 8th partition of the first sata disk and automatically repair any issues if the file system supports that option.
Some important things to remember when using fsck:
- Never run fsck on a mounted partition
- lost+found is where orphaned files go
- rebooting after fscking is usually healthy
Automatic fscking can also be configured. The 5th column in an fstab entry contains two numbers, the second number (labeled 'pass' in the example above) is the priority that a file system will be fscked after so many reboots. This thresh hold can usually be configured with a utility, for example tune2fs. A zero in this section forces a file system to not be checked, and the lower the number the higher its priority is.
TODO: creating partitions, effective use and creation of quotas, file system encryption, discuss cgroups and freebsd jails lightly, RAID