Article Title: improve the security of the ext3 File System with chattr. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
This article describes in detail how to use this feature to protect the security of the EXT3 file system.
1. What is the attribute of ext3) Starting from the Linux 1.1 series kernel, The ext2 file system supports additional tags or attributes for files and directories ). In the 2.2 and 2.4 series kernels, The ext3 file system supports setting and querying the following attributes:
A
Atime. Tell the system not to modify the last access time to this file.
S
Sync. Once the application writes the file, the system immediately writes the Modification result to the disk.
A
Append Only. The system can only append data after the file, and does not allow any process to overwrite or intercept the file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.
I
Immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify files under the directory, and does not allow Creation or Deletion of files.
D
No dump. During file system backup, the dump program ignores this file.
C
Compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.
S
Secure Delete. Let the system fill in the area of the file with 0 When deleting this file.
U
Undelete. When an application requests to delete this file, the system will keep its data block so that the file can be restored and deleted later.
However, although the file system can accept and retain the flag indicating each attribute, these attributes are not necessarily valid, depending on the kernel and various application versions. The following table shows the attribute flags supported by each version:
* Allow setting this flag to take effect
I allow setting this flag but ignore its value
-Ignore this flag completely
1.0 1.2 2.0 2.2 2.4
A --***
S *****
A -****
I -****
D -****
C I
S ** I
U I
Although earlier kernel versions support secure feature deletion, developers have abandoned the implementation of this feature since the 1.3 series kernel because it only seems to be able to improve a little bit of security, what's worse is that it creates a security illusion for users who are not familiar with the security deletion Inheritance Problem.
When operating files with the attribute, the attribute can improve the performance. The S attribute maximizes file integrity.
This article will mainly discuss attributes a and I, because these two attributes are of great benefit to improve the security of the file system and ensure the integrity of the file system. Similarly, some open-source BSD systems (such as FreeBSD and OpenBSD) also support similar features in their UFS or FFS implementations.
2. What commands are used to set and display the properties of the ext3 file system? In any case, the standard ls command does not have an extended attribute of a file or directory. The ext3 File System toolkit has two tools: chattr and lsattr, which are used to set and query file attributes. Because ext3 is a standard Linux File System, almost all releases have e2fsprogs toolkit. If this tool is not available in the system for some reason, you can download the source code compilation and installation of this toolkit from the address below: http://sourceforge.net/projects/e2fsprogs
The lsattr command only supports a few options. The options are as follows:
-
List all files in the directory, including files starting.
-D
List directories in the same way as files and display their contents.
-R
Recursively lists the attributes and contents of a directory.
-V
List file versions (used for network file system NFS ).
The chattr command can be executed in the following three ways:
Chattr + Si test.txt
Add synchronization and immutable attributes to the test.txt file.
Chattr-ai test.txt
Remove the append-only attributes and immutable attributes of the file.
Chattr = aiA test.txt
Make the test.txt file only have attributes a, I, and.
Finally, each command supports the-R option to recursively operate directories and Their subdirectories.
3. Differences between ext3 attributes and File Permissions Almost all system administrators understand the permissions of UNIX-style file systems and the display of the owner and ls commands. For example:
[Root @ typhoid nixe0n] # ls-al test *
-Rw-r -- 1 nixe0n users 0 Nov 17 17:02 test. conf
-Rw-r -- 1 nixe0n users 0 Nov 17 17:02 test. log
-Rw-r -- 1 nixe0n users 0 Nov 16 :41 test.txt
According to the ls output, these files belong to the user nixe0n, and the user group where nixe0n is located is users. The user nixe0n and users user group members have the permission to modify files, while other users only have the permission to read files. The output of the lsattr command is as follows:
[Root @ typhoid nixe0n] # lsattr-a test *
--- I -------- test. conf
---- A ------- test. log
------------ Test.txt
The output shows that test. log can only be added, but the test. conf file cannot be modified. In UNIX systems, if a user logs on with the root permission, the file system's permission control system will not be able to impose any restrictions on the root user and the processes running with the root permission. In this way, for UNIX operating systems, attackers can obtain root privileges through remote or local attacks, which may cause serious damage to the system. The ext2 file system can serve as the last line of defense to minimize the damage to the system and save the attacker's whereabouts. The ext2 attribute is checked and assigned by sys_open (), sys_truncate (), and other system calls. It is not affected by user identification numbers and other factors. In any case, it cannot be modified (immutable) any modification to the attribute file will fail, regardless of whether the file is modified by the root user.
However, another problem is that root users can modify files by deleting the I attribute. This kind of protection only adds a little trouble to attackers who have the root permission, and the security of the system has not been fundamentally improved.
In kernel versions earlier than 2.1, there is a security layer (securelevel) feature. The security layer can solve the above problem, because if the system's security layer is greater than 0, the kernel cannot modify the I attribute of any file. These versions of the kernel are controlled by the "kernel. securelevel" variable of the sysctl command. If the value of this variable is set to 1 or greater at startup, the kernel will not allow modifications to files with the I and a properties, unless the flag moves to the single user status.
However, due to the introduction of more flexible kernel capabilities (kernel capabilities), later kernels no longer support the security layer. Similar restrictions can be implemented using kernel capabilities. The tool lcap is used to query and adjust the kernel capability clustering set (kernel capabilities bounding set ). Add the following command to the startup script to implement protection for the I and a property files:
Lcap CAP_LINUX_IMMUTABLE
Lcap CAP_SYS_RAWIO
The first command deletes the capability of any user (including the Super User) to modify the I flag. The second command deletes the raw access capability of any user (mainly for superusers) to block devices, preventing some skilled attackers from directly modifying the immutable domain of the file system index node. BTW: when the system is started, CAP_SYS_RAWIO capability should be deleted directly. This capability is a great potential threat. After attackers obtain super user permissions, they can directly modify the kernel memory through the/dev/kmem device. In this way, kernel capabilities bounding can be damaged ). If there are no parameters, the kernel capabilities supported by the kernel and the pre-effective kernel capabilities are listed.
Once a kernel capability is deleted, the capacity limit can be deleted only when the system restarts and enters the single-user mode.
Interested readers can learn more about the capabilities from the following connections:
4. What should we do with chattr? The host is directly exposed to the Internet or in other dangerous environments. There are many shell accounts or network services such as HTTP and FTP. Generally, the following command should be used after the installation and configuration is complete:
If you rarely add, change, or delete an account, setting/home to the immutable attribute will not cause any problems. In many cases, the entire/usr directory tree should also have unchangeable attributes. In fact, in addition to the chattr-R + ii/usr/command for the/usr directory, you can also use the ro option in the/etc/fstab file, load the partition of the/usr directory in read-only mode. In addition, setting the system log file to only append-only makes it impossible for intruders to erase their traces.
Of course, if you use this security measure, you need the system administrator to modify the management mode.
4. 1. Install and upgrade the software
Because software management programs need to add and delete certain files and directories, you need to delete the immutable and append-only attributes of some directories and files before installing and upgrading the software. For Linux systems, we generally use the rpm management software package. You can run the following command to check which files are included in the software package to be installed or upgraded:
Rpm-qipl foopackage. rpm
Then tune the immutable and append-only attributes related to directories and files. Most software packages require the rpm command to write one or more of the following directories:
/Bin
/Sbin
/Usr/bin
/Usr/sbin
/Usr/man
/Lib
/Etc
Note: If you need to upgrade/usr/sbin/someprogram, you should remove the someprogram file and the immutable attribute of the/usr/sbin directory.
4. 2. Manage Users and user groups
For users and user groups, the following directories and files must be read and written:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
