Filesystem/Security

Good security is like an onion, it has many layers. The file system is just another layer in the proverbial onion. While there are numerous file systems in existence, this guide tries to remain agnostic and focus more on the hierarchy itself rather then an individual implementation.

Partitioning
Partitioning is a key part of implementing security at the file system level.


 * It limits the impact of disk failure
 * It simplifies the process of creating backups
 * It allows administrators to add restrictions such as quotas and read-only permissions more effectively

File System Hierarchy
To better understand how to divide the file system across partitions and apply various restrictions, we need to understand a little about the function of the file system hierarchy and its major directories. Systems based on GNU/Linux or FreeBSD, like Gentoo, borrow from the traditional Unix file system hierarchy. This hierarchy was designed in a time when many physical disks where needed to span the whole system. In modern times with larger storage mediums being common place, average users need not worry about partitioning and file system hierarchy too much. But on a server we need to have a finer grained control over the system and manipulate it to our will.

Some of the more common directories include:

/       Pronounced as "root", this is the top level of the hierarchy. All other file systems are mounted somewhere below this one.

/root   Is the home directory of the root user. Typically email from daemons such as cron will be sent here.

/boot   Typically holds bootloader and its configuration, as well as kernel binaries.

/etc    On modern systems like GNU/Linux and FreeBSD this holds system wide configuration information.

/bin    System binaries are located here. Tools like grep, ls, and tar.

/sbin   Essential system binaries are located here; for example things to mount and create file systems. As well as the initialization daemon. Superuser privileged is required to use them.

/lib    System libraries are located here. On most 64bit systems /lib is usually just a symlink and separate /lib32 and /lib64 directories will exist.

/dev    Special device files are located here. This is one of the most important directories as its contents are how Unix-like systems interface with hardware from all but the lowest level, the drivers themselves.

/home   This directory is where the typical home directory for system users go. It usually isn't a good idea to put network shares for user home directories here.

/opt    Is a place for non-default software. A good generalization is that, if the software didn't come from Portage or another Gentoo maintained source, it should probably go here. Also troublesome software that doesn't cleanly follow the Unix File Hierarchy should go here to avoid disturbing the rest of the file system.

/tmp    This is scrap space that is used per-session and is typically overwritten on a reboot.

/var    This directory has been described as "multi-purpose" which is very accurate. It contains items ranging from system logs to PID files to spoolers, it even has its own temporary space.

/var/tmp As you might have guessed, this is the temporary space within /var. It deserves its own listing because Portage uses this as an area to unpack and build distfiles.

/usr    This is often referred to as "a secondary hierarchy" because more then often it mirrors the root directory in its layout, only it is where user applications are stored rather then system applications.

/proc   A virtual file system that allows users with privilege to monitor and modify kernel settings and configurations at run time.

Further reading:

FreeBSD Directory Structure

Linux Filesystem Hierarchy

So what has this to do with partitioning you ask? As was explained previously, the hierarchy was designed to involve multiple disks, partitions being logical disks, we can place some of these directories on their own file system and their own partition.

Its worth noting that: /etc, /bin, /sbin, /dev, and /lib MUST reside on the same partition as /

Sizing
It is rather difficult to judge what size a partition should be. It takes a bit of experience but after thinking about the machine's intended purpose, one can usually get a pretty good idea of sizing needs. For example a computer used on a typical client machine would benefit from a large /home directory, while on a server /home should be considerably smaller.

Mount options
On Unix-like systems mount points are typically defined in /etc/fstab.

This is an example of a recently created fstab on a home server, in the fourth column, mount options are listed.

The options we are currently focused on include:
 * ro/rw
 * suid/nosuid
 * dev/nodev
 * exec/noexec
 * user(s)/nouser
 * auto/noauto
 * defaults

Certain file systems like /usr and /boot have been mounted with ro or read-only permission (in contrast to rw, read-write). This makes adding software or running updates slightly more painful by requiring an extra couple reboots. But the occasional difficulty means that accidentally deleted files arn't really deleted and malicious software has a harder time living through a reboot. There are also certain files that need to be written to, for example /etc/resolv.conf. For these files you can move them to a separate directory with write access and then place a symlink in their place.

Mounting a file system with nosuid can also add more grief to an administrator's life. But this disables the suid and sgui bits so that sudo and su -c to not execute commands, a user must first login as the user with permission to execute or modify a file either directly or through su. This makes it more difficult for privilege escalation attacks to be successful.

Using nodev disables special device files on that file system. The kind commonly found under /dev. Really you don't want these kinds of files anywhere but /dev, they can let an attacker break out of a chroot jail and bypass other restrictions.

Noexec is a tricky option to enable. It disables executable permissions, and is great to place on directories like /tmp. However, extracting compressed files, for example distfiles, requires executable permissions. This is why, at least on Gentoo systems, /var/tmp should be placed on its own partition. Disabling executable permissions on /var is usually a good idea but without /var/tmp on a separate partition software installation under Gentoo would be hampered.

Nouser requires that root mount the file system. Specifying user means that any user can mount the system but it implies; noexec, nosuid, and nodev unless explicitly overridden. Some systems offer the users option which is similar to user but there is a corresponding users group which a user must first be a member of to mount the file system.

In the example above, noauto is passed to the /boot partition. Noauto means that the file system is not automatically mounted at boot time, conversely auto explicitly mounts file systems at boot time. It is desirable to mount /boot as noauto so that should something ever happen, for example a power outage, your boot partition is not uncleanly unmounted. So that when you go to boot, the kernel image is safe and any recovery tools such as a statically compiled busybox can be used to repair any damage.

Defaults will typically replace all of the following permissions with one word; rw, suid, dev, exec, auto, nouser, async

Further Reading:

Arch Linux has a fairly in depth overview of fstab at their wiki: Arch Linux fstab wiki

Chroot
What is chroot exactly?

Chroot comes as both a shell utility and a system call. What chroot does is quiet simple, it changes the way programs see the root file system. For example running this command:

will make /mnt/foo the new / within the shell process that ran the chroot command. Essentially chroot is a primitive sandbox that is quick and easy to set up.

Why would anyone want to do this to the file system?

Traditionally chrooting was used to run daemons out of as a security measure. Today this is looked down upon slightly, modern tools like Linux cgroups and FreeBSD jails, both offer more complete sandboxing and thus more security then the humble chroot.

But good old chroot is quick, easy to setup, and often has configure script support in some more popular daemons such as BIND and Apache. We can easily use chroot to provide a safe build environment. Chrooting into an extracted Stage3 tarball offers an easy to set up, strip down, and rebuild environment to build and test new technologies without risking the destruction of your current workstation.

File System Check
The second letter was originally different. -Dennis Ritche on fsck

Fsck is a utility that can be run on a file system that is corrupt. With modern journaled file systems, fsck is not only much quicker but typically has a higher success rate when recovering from corruption. There are quite a few options one could pass to the fsck command including some gotchas, so reading over the manual page is highly recommended. A basic fsck command might look like this:

This will run a consistency check on the 8th partition of the first sata disk and automatically repair any issues if the file system supports that option.

Some important things to remember when using fsck:
 * Never run fsck on a mounted partition
 * lost+found is where orphaned files go
 * rebooting after fscking is usually healthy

Automatic fscking can also be configured. The 5th column in an fstab entry contains two numbers, the second number (labeled 'pass' in the example above) is the priority that a file system will be fscked after so many reboots. This thresh hold can usually be configured with a utility, for example tune2fs. A zero in this section forces a file system to not be checked, and the lower the number the higher its priority is.

RAID
RAID technologies are pretty strait forwards, take a few hard drives and string them together. RAIDs are defined by their level. For example RAID 0 is a system where two or more disks are combined so that there is additional storage and a disk I/O performance bonus. This documentation will discuss RAID level 5 and RAID level 6 which both offer some security.

RAID controller
What ties a RAID system all together is known as a RAID controller. RAID controllers can exist in software or hardware. The primary difference is that hardware RAID controllers off load processing to the RAID controller itself rather then on the central processing unit, which in some high performance environments can be beneficial. However in home systems or small businesses, often a software RAID controller is enough.

Often times a hardware RAID controller will have its own special configuration method so be sure to read the documentation provided. However in the Linux world a tool called mdadm is used for software RAID setups. mdadm is preferred over the older raidtools package, but it is worth looking into if you are using an older system or have special needs. To install mdadm on Gentoo Linux simply run:

Creating a software RAID
Quickly before proceeding to the meat and potatoes, lets talk about the difference between RAID 5 and RAID 6. RAID 5 requires a minimum of three physical disks, and is able to withstand the loss of one of those disks, but will take a performance hit until the failed disk is replaced and the RAID is synchronized. RAID 6 requires a minimum of four physical disks and can withstand the loss of two disks, and will only see a noticeable performance hit if two drives fail at the same time. Just like RAID 5, failed drives should be replaced and the RAID should be synchronized.

When deciding between RAID 5 and RAID 6, it is important to note that RAID 6 is favored. RAID 5 has a write hole, essentially under certain circumstances the RAID will fail to preserve data because a flaw in the RAID 5 algorithm. For that reason the following example will detail RAID 6.

First you need support in your kernel for RAID systems:

Next our disks need to be partitioned, assume we have four disks: sda, sdb, sdc, and sdd. Use your favorite partitioning tool to format the drives and create empty partition tables on them. Then allocate all the space in to a single partition. Finally we actually create the RAID:

You should now have a new device file, /dev/md0 which can be manipulated just like any other disk device file, however md0 represents the RAID that was just created.

We aren't quite done yet. The mdadm tool uses a configuration file located at /etc/mdadm.conf and while this is an optional step, editing this configuration file it is a recommended step. Instead of manually filling out this file, lets be lazy and run a couple commands instead:

This configuration file serves two purposes, first it helps to document the RAID which is very important when it comes time to replace a disk. And second it helps the kernel activate the RAID during boot instead of a user doing it manually. You are also encouraged to explore the monitor feature of mdadm, this sends mail warnings to administrators as issues with the RAID are encountered.

Maintaining a software RAID
There are a few commands and kernel data structures with which administrators dealing with a software RAID should be familiar.

To get details about the RAID run:

Here you will also see the progress of a RAID recovery or sync.

Occasionally, you will need to do a check for bad blocks on the RAID, reallocate the data stored on them, and then sync the RAID. To do this run:

To cleanly halt a RAID sync:

For troubleshooting and configuration purposes, there is an option to simulate a disk failure:

Replacing failed disks
In our simulation, the disk at /dev/sda1 failed. To fix it, all we have to do is remove it from the RAID logically and readd it to the RAID. When real hardware fails in reality the process is similar, except the additional step of replacing the failed hardware.

First logically remove the drive from the RAID:

At this point, in a real failure situation we would need to swap the failed disk. Depending on the hardware configuration we might have to power the system down all the way to accomplish this.

Note: If you are following this example, you should have created disks with a single partition on them. When a disk fails and this method was used, simply repeating the formatting process on any disk will allow it to be added to the RAID without issue. If RAW disks were used instead of partitions, then a replacement disk must be exactly the same model as the other disks in the RAID.

TODO: effective use and creation of quotas, file system encryption, RAID