Filesystem/Security

Good security is like an onion, it has many layers. The file system is just another layer in the proverbial onion. While there are numerous file systems in existence, this guide tries to remain agnostic and focus more on the hierarchy itself rather then an individual implementation.

Partitioning
Partitioning is a key part of implementing security at the file system level.
 * It limits the impact of disk failure
 * It simplifies the process of creating backups
 * It allows administrators to add restrictions such as quotas and read-only permissions more effectively

File System Hierarchy
To better understand how to divide the file system across partitions and apply various restrictions, we need to understand a little about the function of the file system hierarchy and its major directories. Systems based on GNU/Linux or FreeBSD, like Gentoo, borrow from the traditional Unix file system hierarchy. This hierarchy was designed in a time when many physical disks where needed to span the whole system. In modern times with larger storage mediums being common place, average users need not worry about partitioning and file system hierarchy too much. But on a server we need to have a finer grained control over the system and manipulate it to our will.

Some of the more common directories include:
 *        Pronounced as "root", this is the top level of the hierarchy. All other file systems are mounted somewhere below this one.
 *    Is the home directory of the root user. Typically email from daemons such as cron will be sent here.
 *    Typically holds bootloader and its configuration, as well as kernel binaries.
 *     On modern systems like GNU/Linux and FreeBSD this holds system wide configuration information and is a good target for regular backups.
 *     System binaries are located here. Tools like grep, ls, and tar.
 *    Essential system binaries are located here; for example things to mount and create file systems. As well as the initialization daemon. Superuser privilege is required to use them.
 * '    System libraries are located here. On most 64bit systems  is usually just a symlink and separate ' and  directories will exist.
 *     Special device files are located here. This is one of the most important directories as its contents are how Unix-like systems interface with hardware from all but the lowest level, the drivers themselves.
 *    This directory is where the typical home directory for system users go. It usually isn't a good idea to put network shares for user home directories here.
 *     Is a place for non-default software. A good generalization is that, if the software didn't come from Portage or another Gentoo maintained source, it should probably go here. Also troublesome software that doesn't cleanly follow the Unix File Hierarchy should go here to avoid disturbing the rest of the file system.
 *     This is scrap space that is used per-session and is typically overwritten on a reboot.
 *     This directory has been described as "multi-purpose" which is very accurate. It contains items ranging from system logs to PID files to spoolers, it even has its own temporary space.
 *  As you might have guessed, this is the temporary space within . It deserves its own listing because Portage uses this as an area to unpack and build distfiles.
 *     This is often referred to as "a secondary hierarchy" because more then often it mirrors the root directory in its layout, only it is where user applications are stored rather then system applications.
 *    Procfs is a virtual file system that allows users with privilege to monitor and modify kernel settings and configurations at run time.

Further reading:
 * FreeBSD Directory Structure
 * Linux Filesystem Hierarchy
 * Filesystem Hierarchy Standard, LSB Workgroup, The Linux Foundation, Version 3.0

So what has this to do with partitioning you ask? As was explained previously, the hierarchy was designed to involve multiple disks, partitions being logical disks, we can place some of these directories on their own file system and their own partition.

Its worth noting that:, , , , and MUST reside on the same partition as.

Sizing
It is rather difficult to judge what size a partition should be. It takes a bit of experience but after thinking about the machine's intended purpose, one can usually get a pretty good idea of sizing needs. For example a computer used on a typical client machine would benefit from a large directory, while on a server  should be considerably smaller.

Mount options
On Unix-like systems mount points are typically defined in fstab:

This is an example of a recently created fstab on a home server, in the fourth column, mount options are listed.

The options we are currently focused on include:
 * ro/rw
 * suid/nosuid
 * dev/nodev
 * exec/noexec
 * user(s)/nouser
 * auto/noauto
 * defaults

Certain file systems like and  have been mounted with ro or read-only permission (in contrast to rw, read-write). This makes adding software or running updates slightly more painful by requiring an extra couple reboots. But the occasional difficulty means that accidentally deleted files arn't really deleted and malicious software has a harder time living through a reboot. There are also certain files that need to be written to, for example. For these files you can move them to a separate directory with write access and then place a symlink in their place.

Mounting a file system with nosuid can also add more grief to an administrator's life. But this disables the suid and sgid bits so that files can not run with the permissions of their owner. This makes it more difficult for privilege escalation attacks to be successful.

Using nodev disables special device files on that file system. The kind commonly found under. Really you don't want these kinds of files anywhere but, they can let an attacker break out of a chroot jail and bypass other restrictions.

Noexec is a tricky option to enable. It disables executable permissions, and is great to place on directories like. However, extracting compressed files, for example distfiles, requires executable permissions. This is why, at least on Gentoo systems, should be placed on its own partition. Disabling executable permissions on is usually a good idea but without  on a separate partition software installation under Gentoo would be hampered.

Nouser requires that root mount the file system. Specifying user means that any user can mount the system but it implies; noexec, nosuid, and nodev unless explicitly overridden. Some systems offer the users option which is similar to user but there is a corresponding users group which a user must first be a member of to mount the file system.

In the example above, noauto is passed to the partition. Noauto means that the file system is not automatically mounted at boot time, conversely auto explicitly mounts file systems at boot time. It is desirable to mount as noauto so that should something ever happen, for example a power outage, your boot partition is not uncleanly unmounted. So that when you go to boot, the kernel image is safe and any recovery tools such as a statically compiled busybox can be used to repair any damage.

Defaults will typically replace all of the following permissions with one word; rw, suid, dev, exec, auto, nouser, async

Further Reading:
 * Arch Linux has a fairly in depth overview of fstab at their wiki: Arch Linux fstab wiki

Chroot
What is chroot exactly?

Chroot comes as both a shell utility and a system call. What chroot does is quiet simple, it changes the way programs see the root file system. For example running this command:

will make the new  within the shell process that ran the chroot command. Essentially chroot is a primitive sandbox that is quick and easy to set up.

Why would anyone want to do this to the file system?

Traditionally chrooting was used to run daemons out of as a security measure. Today this is looked down upon slightly, modern tools like Linux cgroups and FreeBSD jails, both offer more complete sandboxing and thus more security then the humble chroot.

But good old chroot is quick, easy to setup, and often has configure script support in some more popular daemons such as BIND and Apache. We can easily use chroot to provide a safe build environment. Chrooting into an extracted Stage3 tarball offers an easy to set up, strip down, and rebuild environment to build and test new technologies without risking the destruction of your current workstation.

File System Check
The second letter was originally different. -Dennis Ritche on fsck

Fsck is a utility that can be run on a file system that is corrupt. With modern journaled file systems, fsck is not only much quicker but typically has a higher success rate when recovering from corruption. There are quite a few options one could pass to the fsck command including some gotchas, so reading over the man page is highly recommended. A basic fsck command might look like this:

This will run a consistency check on the 8th partition of the first sata disk and automatically repair any issues if the file system supports that option.

Some important things to remember when using fsck:
 * Never run fsck on a mounted partition
 * lost+found is where orphaned files go
 * rebooting after fscking is usually healthy

Automatic fscking can also be configured. The 5th column in an fstab entry contains two numbers, the second number (labeled 'pass' in the example above) is the priority that a file system will be fscked after so many reboots. This thresh hold can usually be configured with a utility, for example tune2fs. A zero in this section forces a file system to not be checked, and the lower the number the higher its priority is.

RAID
RAID technologies are pretty strait forwards, take a few hard drives and string them together. RAIDs are defined by their level. For example RAID 0 is a system where two or more disks are combined so that there is additional storage and a disk I/O performance bonus. This documentation will discuss RAID level 5 and RAID level 6 which both offer some security.

RAID controller
What ties a RAID system all together is known as a RAID controller. RAID controllers can exist in software or hardware. The primary difference is that hardware RAID controllers off load processing to the RAID controller itself rather then on the central processing unit, which in some high performance environments can be beneficial. However in home systems or small businesses, often a software RAID controller is enough.

Often times a hardware RAID controller will have its own special configuration method so be sure to read the documentation provided. However in the Linux world a tool called mdadm is used for software RAID setups. mdadm is preferred over the older raidtools package, but it is worth looking into if you are using an older system or have special needs. To install mdadm on Gentoo Linux simply run:

Creating a software RAID
Quickly before proceeding to the meat and potatoes, lets talk about the difference between RAID 5 and RAID 6. RAID 5 requires a minimum of three physical disks, and is able to withstand the loss of one of those disks, but will take a performance hit until the failed disk is replaced and the RAID is synchronized. RAID 6 requires a minimum of four physical disks and can withstand the loss of two disks, and will only see a noticeable performance hit if two drives fail at the same time. Just like RAID 5, failed drives should be replaced and the RAID should be synchronized.

When deciding between RAID 5 and RAID 6, it is important to note that RAID 6 is favored. RAID 5 has a write hole, essentially under certain circumstances the RAID will fail to preserve data because a flaw in the RAID 5 algorithm. For that reason the following example will detail RAID 6.

First you need support in your kernel for RAID systems:

Next our disks need to be partitioned, assume we have four disks:, , , and. Use your favorite partitioning tool to format the drives and create empty partition tables on them. Then allocate all the space in to a single partition. Finally we actually create the RAID:

You should now have a new device file, which can be manipulated just like any other disk device file, however  represents the RAID that was just created.

The array needs to do an initial sync which will take a while to finish. This will take upwards of several hours, depending on multiple factors including disk size. I was able to get relatively better performance by issuing the following command:

We aren't quite done yet. The mdadm tool uses a configuration file located at and while this is an optional step, editing this configuration file it is a recommended step. Instead of manually filling out this file, lets be lazy and run a couple commands instead:

This configuration file serves two purposes, first it helps to document the RAID which is very important when it comes time to replace a disk. And second it helps the kernel activate the RAID during boot instead of a user doing it manually. You are also encouraged to explore the monitor feature of mdadm, this sends mail warnings to administrators as issues with the RAID are encountered. A long with the monitor feature, a MAILADDR variable can be specified in to give mdadm a mail address to send warnings to.

Maintaining a software RAID
There are a few commands and kernel data structures with which administrators dealing with a software RAID should be familiar.

To get details about the RAID run:

Here you will also see the progress of a RAID recovery or sync.

Occasionally, you will need to do a check for bad blocks on the RAID, reallocate the data stored on them, and then sync the RAID. To do this run:

To cleanly halt a RAID sync:

For troubleshooting and configuration purposes, there is an option to simulate a disk failure:

Replacing failed disks
In our simulation, the disk at failed. To fix it, all we have to do is remove it from the RAID logically and readd it to the RAID. When real hardware fails in reality the process is similar, except the additional step of replacing the failed hardware.

First logically remove the drive from the RAID:

At this point, in a real failure situation we would need to swap the failed disk. Depending on the hardware configuration we might have to power the system down all the way to accomplish this.

To add a disk into the RAID as a replacement run this:

Once a new disk is added, the RAID should automatically begin rebuilding itself.

Quotas
Quotas are an important tool for administrators of multi-user systems. They allow you to prevent a group, user, or process (through group and user restrictions) from filling up disk space. This is particularly useful on for example a server that hosts a network share. Gentoo documentation already covers this topic in depth in their user and group limitations guide.

Encryption
Under construction

Permissions
Under construction

The Traditional Unix Way
In Unix, everything is a file. As such, permissions revolve around a series of file attributes. In a nutshell, these attributes relate to a; read-bit, write-bit, executable-bit, setuid-bit, setgid-bit, sticky-bit, and information about owner, group, and world.

Example output of the ls command:

The very first column shows various information about the file in question, including the permissions set on it: the first dash indicates this is a file, not a directory (which would be marked by a d). An s would mean it's a socket file, and an l would make it a link. The next three spaces show whether the read-bit (r), write-bit (w), or executable-bit (x) is set for the owner of the file. The next three denote the same permission bits, but for the group instead of the user. The third group of three bits denote permissions for the world, or everyone else on the system. This is the basic Unix permissions model.

In the third column, the user 'root' can be seen as the owner of the file, while the fourth column shows the group, also named 'root' in the example.

Looking into permissions deeper, the 'setuid' and 'setgid' bits are somewhat less commonly used, especially by the common user, also being considerably more dangerous if used incorrectly. If used correctly, setuid and setgid bits can make system management much easier by making permissions more flexible. Essentially, the setuid (set user id) bit, when activated, will allow the file to be executed with the permissions of its owner by anyone. Likewise, setgid (set group id) will allow any user to execute a file with the permissions of its group.

One way of making use of these, is for administrators to give users access to particular programs that would otherwise required the root password. With the ls command, the x denoting user executable permission will be replaced by an s if the setuid-bit is set. This means that in the group permission section, an s will replace the x if the setgid-bit is set.

The sticky-bit can be confusing: while traditionally, it had a very clear use, it has evolved over time and different Unix environments have different uses for it. On Linux, the sticky bit can be set on directories, and as a consequence, any files under those directories can be deleted (or unlinked) only by the owner. If the sticky-bit is set, a t will be displayed at the far right of the user-group-world permissions listing in the ls output.

Managing permission bits, bit wrangling
Being able to wrangle all these permissions bits is very important for the system administrator(s). The tools of the trade are; chmod, chown, chgrp, and umask.

Further still, understanding the hex values that activate and deactivate various bits is just as important:


 * 0 - no permissions are set
 * 1 - execute only
 * 2 - write only
 * 3 - write and execute
 * 4 - read only
 * 5 - read and execute
 * 6 - read and write
 * 7 - read, write, and execute

The setuid, setgid, and sticky bits are separated from the other permissions bits so their values can be repeated:


 * 0 - clears any previously set bit in this category
 * 1 - stickybit
 * 2 - setgid
 * 4 - setuid

One of the most useful tools for changing permissions is chmod, which simply modifies the state of the permission bits on a file or directory. For example, to set a file as writeable by the owner, but only readable by everyone else, one would use the following command:

To add the setuid bit to that file, a fourth column is used. This is the column where setgid, setuid, and stickybit are specified:

Another useful tool is chown, which changes ownership of files and directories. Its basic usage is fairly straightforward:

Yet another useful tool, chgrp, might not be that often used on workstations, but is more useful for servers and mainframes. It allows one to to change only the group ownership of files and directories, while leaving the user ownership intact.

This might be useful for a shared directory:

The umask shows the current default file creation bit mask, and allows for a different mask to be set so that all new files created in the current working directory will have those permissions bits activated by default. Because it is a mask, the way the permissions are represented is different from chmod:


 * 0 - read, write, and execute
 * 1 - read and write
 * 2 - read and execute
 * 3 - read only
 * 4 - write and execute
 * 5 - write only
 * 6 - execute only
 * 7 - no permissions are set

Example of setting a directory to have full permissions for the owner, but 'read only' for everyone else:

Backups
Under construction, lightly discuss, link to existing Gentoo wikis