Comprehensive Guide to Linux File System Security

November 20, 2024
Linux SecurityServerHardeningFile System Security

🛡️ Introduction

In modern computing environments, Linux remains a dominant operating system for servers and embedded systems. As such, ensuring the security of its file system is crucial. This blog post provides a comprehensive guide to Linux file system security, covering essential topics such as file permissions, special modes, Access Control Lists (ACLs), file attributes, and rootkit detection and prevention.

🔐 File and Directory Permissions

Linux uses permission bits to control access to files and directories

  • r: read
  • w: write
  • x: execute

Each file has three sets of these permissions: for the owner, the group, and others.

🧰 Special Permissions

📛 Setuid (Set User ID)

  • When executed, the process runs with the file owner's UID.
  • Example: /usr/bin/passwd uses setuid to allow normal users to change passwords.
1chmod u+s /path/to/file
2chmod 4755 /path/to/file

📛 Setgid (Set Group ID)

  • When executed, runs with the file's group ID.
  • On directories, new files inherit the directory's group.
1chmod g+s /path/to/file
2chmod 2755 /path/to/file

📛 Sticky Bit

  • Applied to directories (like /tmp) to allow only owners to delete their files.
1chmod o+t /path/to/directory
2chmod 1777 /path/to/directory

🔍 Finding Files with Special Permissions

1# Setuid
2find / -perm /4000 -ls
3
4# Setgid
5find / -perm /2000 -ls

⚠️ Permission Best Practices

  • Avoid making setuid files writable: use -rwsr-xr-x instead of -rwsrwxrwx.

🧬 File Attributes (xattr)

Linux file systems like ext4, XFS, and Btrfs support extended attributes

📌 Immutable (i)

  • File cannot be modified, deleted, renamed, or hard linked.

➕ Append Only (a)

  • Prevents modification but allows new content to be appended.

🔧 Manage Attributes

1# View attributes
2lsattr /path/to/file
3
4# Set append-only
5chattr +a /path/to/file
6
7# Set immutable
8chattr +i /path/to/file
9
10# Remove all
11chattr -a -i /path/to/file

🛂 Access Control Lists (ACLs)

ACLs allow fine grained file permissions beyond the standard user/group/others model.

✍️ Setting ACLs

1# Set ACL for user
2setfacl -m u:username:rwx file
3
4# Set ACL for group
5setfacl -m g:groupname:rw file
6
7# Set default ACL on directory
8setfacl -m d:g:groupname:rw directory

📖 Viewing ACLs

1getfacl filename

❌ Removing ACLs

1setfacl -x u:username file
2setfacl -b file  # Remove all ACLs

🕵️‍♂️ Rootkits

Rootkits are malicious software designed to hide their presence and gain root access.

Types

  • User space rootkits: Replace user commands like ls, ps, netstat.
  • Kernel space rootkits: Modify kernel memory and modules.

🔍 Detection Tools

  • chkrootkit
  • rkhunter
  • OSSEC (HIDS)

🚫 Removal

  • Reinstallation from trusted media is the safest option.
  • Keep a backup and monitor for recurring indicators.

✅ Conclusion

Linux file system security is a multi layered discipline involving permissions, special attributes, ACLs, and proactive detection of threats like rootkits. Applying these principles helps maintain system integrity and minimize security risks in production environments.

← Previous: Network Security

Next: → Physical Security