Linux supports a wide variety of file systems. They provide a good operation and user interface for data storage and management. In a file system, security mechanisms and problems such as file/directory access permission management and control, and encrypted file systems need to be considered, this article describes in detail the technologies and methods to ensure the security of Linux file systems.
File System Types in Linux
With the development of Linux, the file format system supported by Linux is also expanding rapidly. Particularly after the official launch of the Linux kernel, a large number of new file systems emerged, including the log file system Ext4, Ext3, ReiserFS, XFS, JFS, and other file systems. The Linux system core supports more than 10 file system types: JFS, ReiserFS, Ext, Ext2, Ext3, ISO9660, XFS, Minx, MSDOS, UMSDOS, VFAT, NTFS, HPFS, NFS, SMB, SysV, PROC, etc.
Comparison of File System Security
From the perspective of Automatic repair of damaged file systems, both ext2 and ext3 can automatically repair damaged file systems. By default, the ext2 and ext3 file systems are "automatically inspected every 21 times of mounting the file system or every 180 days. In practice, ext2 and ext3 are at risk in automatic detection. Sometimes the file system enters the single-user mode after it is started, and the entire system is "thrown" into the lost + found directory, if you want to recover the system, you must use fsck to fix it. Of course, fsck also has risks. Therefore, you must be prepared for the use of ext2 and ext3 file systems; after all, it is difficult to repair damaged ext2 and ext3 file systems. In addition, ext2 and ext3 file systems may also cause file system damage due to accidental shutdown and power failure, therefore, during use, it must be a legal shutdown; for example, execute the poweroff command to shut down the machine.
From the perspective of the file system's reverse deletion, ext2 supports reverse deletion, which should be safe for general users, but may mean insecure for the confidential organization. There are two aspects to describe the security of the file system from the perspective of reverse deletion. If a user is engaged in confidential work, it is better to use ext3, because ext3 cannot be recovered once a file is deleted, because reverse deletion can restore the leakage of confidential data, therefore, ext3 may be more suitable for users engaged in confidential work.
New Ext4 File System
Ext4 is an important part of Linux kernel 2.6.28. It is a revolution in Linux file systems. In many aspects, the progress of Ext4 relative to Ext3 is far more than that of Ext3 relative to Ext2. The improvement of Ext3 over Ext2 mainly lies in the log, but Ext4 is more in-depth than Ext3, and is the optimization of the data structure of the file system. An efficient, excellent, reliable, and extremely distinctive file system was born. Currently, this file system is not widely used in all Linux distributions and is still in the initial testing stage.
Securely set file/Directory Access Permissions
In Linux, each file and directory has access permission to determine who can access and operate files and directories. The following describes the methods and commands for accessing files/directories.
File or directory access permissions are divided into read-only, write-only and executable. Taking a file as an example, the read-only permission indicates that only the content of the file can be read, and any changes to the file are prohibited. The write permission only allows any modifications to the file; the executable permission indicates that the file can be executed as a program. When a file is created, the file owner automatically has the read, write, and executable permissions for the file to facilitate reading and modifying the file. You can also set the access permission to any combination as needed.
There are three different types of users who can access files or directories: file owners, users in the same group and other users. The owner is generally the creator of the file. It allows users in the same group to access files, and grants the file access permission to other users in the system. In this case, every user in the system can access the files or directories owned by this user.
Each file or directory has three groups of access permissions. Each group is represented by three digits, which are the read, write, and execution permissions of the file owner; read, write, and execute permissions of users in the same group as the owner; read, write, and execute permissions of other users in the system (1 ). When you use the ls-l command to display detailed information about a file or directory, the leftmost column lists the file access permissions. For example:
The horizontal line indicates that the permission is null (that is, the permission is not granted ). R indicates read-only, w indicates write, and x indicates executable. Note: There are 10 locations in total. The file type is specified for 1st characters. In general, a directory is also a file. If the character 1st is a horizontal line, it indicates a non-directory file. If it is d, it indicates a directory. Each of the following nine characters is a group of three, indicating the access permissions of the file master, group users, and other users.
For example:
Indicates the file sobsrc. the access permission of tgz, which indicates sobsrc. tgz is a common file; sobsrc. the owner of tgz has the read and write permissions. users in the same group of tgz only have the read permission. Other users only have the read permission.
After determining the access permission for a file, you can use the chmod command provided by Linux to reset different access permissions. You can also use the chown command to change the owner of a file or directory.
▲Figure 1. File/Directory Access Permissions
1. Change the access permission of the file/directory
The chmod command is used to change the access permissions of files or directories. It is a very important system command. Users can control access to files or directories.
This command can be used in two ways. One is the text setting method that contains letters and operator expressions, and the other is the number setting method that contains numbers.
Text setting method
The text setting method is generally used in the format of chmod [who] [+ |-| =] [mode] file name. The operator can be any of the following letters or a combination of letters:
Indicates "user", that is, the owner of a file or directory.
Indicates "group users", that is, all users with the same group ID as the file owner.
Other users ".
All users ". It is the default value of the system.
The operation symbol can be:
Add a permission.
Cancel a permission.
Grant the given permission and cancel all other permissions (if any ).
Set the permissions indicated by mode to any combination of the following letters:
Readable.
Writable.
Executable. The x attribute is appended only when the target file is executable to some users or the target file is a directory.
During File Execution, set the owner or group ID of the process to the file owner of the file. In the format of "u + s" to set the user ID of the file, and "g + s" to set the group ID.
Save the program text to the switch device.
It has the same permissions as the file owner.
Users in the same group as file owners have the same permissions.
The same permissions as other users.
If multiple permission methods can be provided in a command line, separate them with commas. Figure 2 shows an example of using this setting method:
▲Figure 2. Example of chmod command text setting
First, set the attributes of file test1 to: Add execution permissions to the file owner (u); add execution permissions to users in the same group as the file owner (g); other users (o) add the execution permission. The command is:
Next, set the file test2 attribute to: Add write permissions to the file owner (u); add write permissions to users in the same group as the file owner (g); other users (o) delete the execution permission. The command is:
Finally, add the s permission to the executable file test3 so that the user who executes the file has the permissions of the file owner temporarily:
In the preceding example, when another user executes the test3 program, his identity will be temporarily changed to the owner of the test3 Program (because the s option is used in the chmod command ), so he can read the test3.c file (although this file is set to be not authorized by others). This is the function of s. In the whole system, especially the root itself, it is best not to set this type of files too much (unless necessary), so as to ensure the security of the system, avoid system intrusion due to bugs in some programs.
Number setting method
The number setting method is equivalent to the text setting method, but easier than the text setting method. The meaning of a number attribute is: 0 indicates no permission, 1 indicates executable permission, 2 indicates write permission, 4 indicates read permission, and then add it. Therefore, the format of the numeric attribute should be three Octal numbers from 0 to 7, in the order of (u), (g), and (o ). Others are basically the same as the text setting method.
If you want the owner of a file to have two types of permissions: "read/write", you need to set 4 (readable) + 2 (writable) to 6 (read/write ).
The general format of the number setting method is: chmod [mode] file name. Figure 3 shows an example of using the number setting method:
▲Figure 3. The number setting method of the chmod command
As you can see, in figure 3, the attributes of file test1 are set to: The file owner (u) has read and write permissions, and the user (g) in the same group has read permissions; others (o) have the read permission, and set the attribute of the file test2 to: The file owner (u) has the read, write, and executable permissions; the same as the file owner group (g) has the permission to read/execute; others (o) have no permission.
2. Change the ownership of the file/directory
This command is used to change the owner and group of a file or directory. For example, the root user copies a file to xu. To allow xu to access the file, the root user should set the owner of the file to xu. Otherwise, user xu cannot access this file.
The command is in the format of chown [Option] user or group file.
Chown is used to change the owner of a specified file to a specified user or group. Users can be user names or user IDs. A group can be a group name or group ID. Files are separated by spaces to change the permission list. Wildcards are supported. The options of this command are:
R:Recursively change the owner of all subdirectories and files under a specified directory.
V:Displays the work done by the chown command.
Figure 4 shows an example of using this command. The author changes the owner of the file test1 to super and sets the directory. the owner of/test_dir and all files and subdirectories under it is changed to super, and the group is changed to super.
Figure 4. chown command usage
3. Change the File Execution permission
Through the previous introduction, we know that every file in Linux has an owner, indicating who created the file. At the same time, the file also has a group number, indicating the group to which the file belongs, generally the group to which the file owner belongs. In addition, in general, we can also control operations on files by setting permissions.
In this case, if it is an executable file, the file generally only has the permission of the user who calls the file during execution. Setuid/setgid can be used to change this setting:
Setuid:Set to grant the file owner permissions during execution. A typical file is/usr/bin/passwd. If a common user executes the file, the file can obtain the root permission during execution, so that the user's password can be changed.
Setgid:This permission is only valid for directories. After the directory is set to this bit, any file created by the user in this directory has the same group as the group to which the directory belongs.
Stickybit: This bit can be understood as a non-delete bit. Whether a file can be deleted by a user depends on whether the group to which the file belongs has the write permission for the user. If you do not have the write permission, all files in this directory cannot be deleted or new files cannot be added. If you want to add files but cannot delete them at the same time. You can use the stickybit for the file. After this bit is set, j cannot delete the file even if the user has the write permission on the directory.
In the previous sections, we discussed how to set file/directory access permissions through text setting and number setting. In the same way, the following two methods are used to describe how to operate these labels. The operation marks are the same as the command for File Permission. They are all carried out using the chmod command:
Text setting method
Chmodu + sfilename: add the setuid flag to the file filename.
Chmodg + sdirname: add the setgid flag to the dirname directory.
Chmodo + tfilename: adds the sticky flag to the file filename.
Number setting method
For general files, three Octal numbers are used to set the flag, such as 444, 777, and 644. If these special signs are set, a group of Octal numbers is added before these numbers. Such as 4666 and 4777. The meanings of the three octal digits in this group are as follows:
Setuid bit: If this bit is 1 and displayed as "S", it indicates that setuid is set and displayed on the original x flag;
Setgid bit: If this bit is 1 and displayed as "S", it indicates setting setgid, which is displayed on the original x flag bit;
Sticky Bit: If this bit is 1 and displayed as "T", it indicates that sticky is set and displayed on the original x flag bit.
After setting these flags, you can run the ls-l command to view them. If these labels are available, they are displayed at the original execution mark position. As follows:
R-srw-r --: indicates that the setuid flag exists;
Rwxrwsrw-: indicates that the setgid flag exists;
Rwxrw-rwt: indicates that the sticky flag exists.
If there is x on this digit, these special signs are displayed as lowercase letters (s, s, t ). Otherwise, uppercase letters (S, S, T) are displayed ).
In addition, it is worth noting that, although the setuid/setgid mechanism is very convenient and practical, it increases the executor's permissions, which inevitably has many security risks and risks, therefore, the author does not agree with the wide range of readers. In the actual system management process, we often need to find out the files with these marks and check and clean them, in general, we can use the following command to search for files with special marks in the system:
Use additional properties to protect ext3 File System Security
1. Additional attributes in ext3
Starting from the Linux 1.1 series kernel, The ext2 file system supports additional tags or attributes for files and directories ). In kernels of the 2.2 and 2.4 series and their later versions, the ext3 file system supports setting and querying the following attributes (as shown in table 1 ):
▲Table 1. Attributes supported by the ext3 File System
Although the file system can accept and retain the flag indicating each attribute, these attributes are not necessarily valid, depending on the kernel and various application versions. Table 2 shows the attributes supported by each Linux kernel version:
OK: indicates that this flag can be set and the setting takes effect;
POK: this flag can be set but its value is ignored;
--: Indicates that the flag is ignored completely.
▲Table 2. Attributes supported by Linux kernel versions
From the preceding table, we can see that although earlier kernel versions support secure feature deletion, developers have abandoned the implementation of this feature since the kernel 1.3 series, because it seems to only improve security a little, and worse, it will create a security illusion for users who are not familiar with security deletion inheritance issues. When operating files with the attribute, the attribute can improve the performance. The S attribute maximizes file integrity.
Therefore, we will mainly discuss attributes a and I, because these two attributes are of great benefit to improve the security of the file system and ensure the integrity of the file system. Similarly, some open-source BSD systems (such as FreeBSD and OpenBSD) also support similar features in their UFS or FFS implementations.
2. Use the properties of the ext3 File System
In any case, the standard ls command does not have an extended attribute of a file or directory. The ext3 File System toolkit has two tools: chattr and lsattr. They are used to set and query file attributes. Because ext3 is a standard Linux File System, almost all releases have e2fsprogs toolkit. If this tool is not available in the system for some reason, you can download the source code of this toolkit from the following URL for compilation and installation: http://sourceforge.net/projects/e2fsprogs.
Lsattr command
The lsattr command only supports a few options. The options are as follows:
A: List all files in the directory, including files starting.
D: List directories in the same way as files and display their contents.
R: recursively lists the attributes and contents of a directory.
V: list file versions (used for network file system NFS ).
Chattr command
The chattr command can be executed in the following three ways:
Chattr + Sifilename: Add synchronization and immutable attributes to the file.
Chattr-aifilename: removes the append-only attributes and immutable attributes of the file.
Chattr = aiAfilenamet: Make the file only have attributes a, I, and.
Finally, each command supports the-R option to recursively operate directories and Their subdirectories.
3. Differences between ext3 attributes and File Permissions
Almost all system administrators understand the permissions and owner of Linux-style file systems and the display of ls commands, as shown in Figure 5:
▲Figure 5. ls Display Results
According to the ls output, these files belong to the user super, and the user group of super is super. Users of super and super user groups have the permission to modify files for test2 and test3, while other users only have the permission to read files for test1, test2, and test3. Figure 6 shows the output of the lsattr command compared with figure 5:
▲Figure 6. lsattr Display Results
The output shows that test2 can only be added, but the test1 file cannot be modified. In Linux, if a user logs on with the root permission, the permission control of the file system cannot impose any restrictions on the root user and the processes running with the root permission. In this way, for Linux operating systems, attackers can obtain root privileges through remote or local attacks, which may cause serious damage to the system. The ext3 file system can serve as the last line of defense to minimize the damage to the system and save the attacker's whereabouts. The ext3 attribute is checked and assigned by sys_open (), sys_truncate (), and other system calls. It is not affected by user identification numbers and other factors. In any case, it cannot be modified (immutable) any modification to the attribute file will fail, regardless of whether the file is modified by the root user.
However, another problem is that root users can modify files by deleting the I attribute. This kind of protection only adds a little trouble to attackers who have the root permission, and the security of the system has not been fundamentally improved.
In kernel versions earlier than 2.1, there is a security layer (securelevel) feature. The security layer can solve the above problem, because if the system's security layer is greater than 0, the kernel cannot modify the I attribute of any file. These versions of the kernel are controlled by the "kernel. securelevel" variable of the sysctl command. If the value of this variable is set to 1 or greater at startup, the kernel will not allow modifications to files with the I and a properties, unless the flag moves to the single user status. However, due to the introduction of more flexible kernel capabilities (kernelcapabilities), later kernels no longer support the security layer. Similar restrictions can be implemented using kernel capabilities. The tool lcap is used to query and adjust the kernel capability aggregation set (kernelcapabilitiesboundingset ). Add the following command to the startup script to implement protection for files with the I and a properties:
The first command deletes the capability of any user (including the Super User) to modify the I flag. The second command deletes the original access (rawaccess) capability of any user (mainly for superusers) to block devices, preventing some skilled attackers from directly modifying the immutable domain of the file system index node. BTW: when the system is started, CAP_SYS_RAWIO capability should be deleted directly, which is a great potential threat. After attackers obtain super user permissions, they can directly modify the kernel memory through the/dev/kmem device. In this way, the kernel capability clustering set (kernelcapabilitiesbounding) of the system can be damaged ). If there are no parameters, the kernel support capabilities and the currently effective kernel capabilities are listed. Once a kernel capability is deleted, the capacity limit can be deleted only when the system restarts and enters the single-user mode.
Use chattr
Linux Hosts are directly exposed to the Internet or in other dangerous environments. There are many shell accounts or network services such as HTTP and FTP. The following command should be used after the installation and configuration is complete:
If you rarely add, change, or delete an account, setting/home to the immutable attribute will not cause any problems. In many cases, the entire/usr directory tree should also have unchangeable attributes. In fact, in addition to the chattr-R + ii/usr/command for the/usr directory, you can also use the ro option in the/etc/fstab file, load the partition of the/usr directory in read-only mode. In addition, setting the system log file to only append-only makes it impossible for intruders to erase their traces. Of course, if you use this security measure, you need the system administrator to modify the management mode.
Because software management programs need to add and delete certain files and directories, you need to delete the immutable and append-only attributes of some directories and files before installing and upgrading the software. For Linux systems, the rpm management software package is generally used. You can run the following command to view the files of the software package to be installed or upgraded:
Remove the immutable and append-only attributes related to directories and files. Most software packages require rpm commands to write one or more of the following directories
It is worth noting that if you need to upgrade/usr/sbin/someprogram, you should remove the someprogram file and the immutable attribute of the directory/usr/sbin.Use Encrypted File System (EFS)
The following describes how to use dm-crypt to create an encrypted file system. Compared with other methods for creating an encrypted file system, the dm-crypt system has unparalleled advantages: it is faster and easier to use. In addition, it is widely used and can run on a variety of Block devices, even if these devices use RAID and LVM, there is no obstacle. The dm-crypt system has these advantages mainly because the technology is based on the device-mapper feature of the kernel version 2.6. Device-mapper is designed to provide a general and flexible method for adding a virtual layer to an actual block device to facilitate developers to process images, snapshots, cascading and encryption. In addition, dm-crypt uses the kernel password Application Programming Interface to implement transparent encryption and is compatible with the cryptloop system.
1. kernel preparation
Dm-crypt uses the kernel's Cryptographic Application Programming Interface to complete password operations. Generally, the kernel usually loads various encryption programs in the form of modules. For AES, its security strength is already very high, even if it is used to protect top-secret data. To ensure that the user's kernel has loaded the AES password module, check according to the command shown in Figure 7:
▲Figure 7. Check whether the AES module is successfully loaded
Otherwise, you can use modprobe to manually load the AES module. The command is as follows:
Next, install the dmsetup package, which contains the tools required to configure device-mapper, as shown in the following command:
To check whether the device image program has been established in the dmsetup package, type the following command:
Then, run the following command to load the dm-crypt kernel module:
After dm-crypt is loaded, it is automatically registered with evice-mapper. If you perform another test, device-mapper can recognize dm-crypt and add crypt as an available object. After performing the preceding steps, you can view the following output of crypt according to the following command, as shown in Figure 8:
▲Figure 8. The encrypted device is successfully loaded.
This indicates that the system is ready to load the encryption device. Next, we will first create an encryption device.
2. Create an encryption device
To create a file system loaded as an encrypted device, you have two options: Create a disk image and load it as a return device; and use a physical device. In either case, except for the creation and bundling of delivery devices, other operations are similar.
3. Create a mirror for the send back Disk
If you do not have a physical device (such as a storage stick or another disk partition) for encryption, you can use the command dd to create an empty disk image, then, the image is loaded as a return device and can still be used. We will introduce the following example:
Here we create a disk image of MB, which is named virtual. img. To change its size, you can change the value of count.
Next, we use the losetup command to associate the image with a delivery device:
Now we have a virtual block device, which is located at/dev/loop0 and can be used just like other devices.
4. Set Block devices
Prepare physical block devices (such as/dev/hda1), or virtual block devices (such as the previous delivery image, and use device-mapper to load the encrypted logical volume), we can configure the block device.
The following uses cryptsetup to create a logical volume and bind it with the block device:
Ly_EFS is the name of the new logical volume. The last device_name parameter must be the block device that will be used as the encrypted volume. Therefore, to use the previously created image as a virtual block device, run the following command:
Whether it is a physical block device or a virtual block device, the program requires the password of the logical volume.-y is used to enter the password twice to ensure that it is correct. This is important because once the password is wrong, the data will be locked, as shown in Figure 9:
▲Figure 9. Enter the EFS password. to confirm whether the logical volume has been created, run the following command to check the password:
As long as the command lists the logical volumes, it indicates that the logical volumes have been successfully created. However, depending on the machine, the device number may be different, as shown in 10:
▲Figure 10. The created logical volume is displayed.
Device-mapper will load its virtual device to/dev/mapper. Therefore, your virtual block device should be/dev/mapper/ly_EFS, although it is no different from other Block devices, it is actually transparent and encrypted.
Like a physical device, you can also create a file system on a virtual device:
Create a mount point for the new virtual block device and load it. The command is as follows:
You can use the following command to view the information after loading, as shown in 11:
▲Figure 11. display after EFS is loaded successfully
After completing the preceding steps, the user can see that the mounted file system, although seemingly identical to other file systems, actually writes all data under/mnt/ly_EFS, data is written to the disk only after transparent encryption. Therefore, the data read from the disk is ciphertext.
5. Uninstall the encryption device
To uninstall the encrypted file system, there is no difference between the two methods:
Even if a block device has been uninstalled, it is still considered as a virtual device in dm-crypt. If you do not believe this, you can run the command dmsetupls shown in 10 again to verify that the device is still listed. Because dm-crypt caches the password, other users on the machine can reload the device without knowing the password. To avoid this, you must explicitly Delete the device from dm-crypt After detaching the device. The command is as follows:
After that, it will be completely cleared. to load it again, you must enter the password again.
6. Reload the encryption device
After you detach an encrypted device, you may need to load it as a common user. To simplify this process, add the following content to the/etc/fstab file:
In addition, you can also create a script for the dm-crypt device and load the volume for us, the method is to replace/dev/DEVICENAME with the actual device name or file path:
If you are using a send-back device, you can also use the script to bind the device. The script is as follows:
7. Use EFS during Linux Installation
The above describes how to use dm-crypt to create an encrypted file system. For novice users, this process may be complicated and hard to understand. This section describes how to use an EFS file system. Taking the installation steps of Fedora10 as an example, you can select relevant options for installation.
You can create a new partition in the free space, select a partition for editing, and delete some partitions. In Figure 12, select the [Encrypted File System] Option and enter the password required to access EFS according to the system requirements, as shown in Figure 13. Next, follow the instructions in Chapter 3rd to install the system. After the system is successfully installed, you have a secure encrypted file system, and every time you log on to the system, the system requires you to enter the password set in Step 13 for secure access.
▲Figure 12. Select the [encryption system (E)] Option during installation
▲Figure 13. Enter the password required by EFS