Shulou(Shulou.com)06/01 Report--

This article mainly explains how to modify the permissions and security settings of the file system in LINUX. The content of the explanation in the article is simple and clear, and it is easy to learn and understand. Please follow Xiaobian's train of thought to study and learn how to modify the permissions and security settings of the file system in LINUX.

Lock the important files of the system

System operators may sometimes encounter situations where users cannot modify or delete a file through root, most of which may be due to the fact that the file is locked. The command to lock a file under Linux is chattr, through which you can modify file properties under the ext2, ext3, and ext4 file systems, but this command must be executed by superuser root. The corresponding command for this command is lsattr, which is used to query file properties.

Modifying the file attributes of a file or directory through the chattr command can improve the security of the system. Here is a brief introduction to the usage of the chattr and lsattr commands.

The syntax format of the chattr command is as follows:

The main parameters of chattr [- RV] [- v version] [mode] file or directory are as follows:

-R: recursively modify all files and subdirectories.

-V: display the changes in detail and print out.

The mode part is used to control the attributes of the file. The common parameters are shown in the following table:

Parameter meaning

+ add parameters on the basis of the original parameter setting

-remove parameters based on the original parameter settings

= update to the specified parameter

An is append. After setting this parameter, you can only add data to the file, not delete it. It is often used for server log file security. Only root users can set this property c, namely compresse, to set whether the file is compressed and then stored. When reading, you need to go through the automatic decompression operation I, that is, immutable, the setting file can not be modified, deleted, renamed, set links, etc., at the same time can not write or add content. This parameter is of great help to the security setting of the file system to safely delete a file or directory, that is, after the file is deleted, the hard disk space is fully recovered u as opposed to the s parameter, when set to u, the system retains its data blocks so that the file can be deleted later. Among these parameters, the most commonly used parameters are an and iMagna, which are often used to set the security of server log files, while the I parameter is more stringent and does not allow any operation on the file, even if the root user lsattr is used to query file attributes. The usage is relatively simple, and its syntax format is as follows:

Lsattr [- adlRvV] file or directory

The common parameters are shown in the table below.

Parameter meaning

-a lists all the files in the directory, including. The opening file-d displays the properties of the specified directory

-R recursively lists all files and subdirectories under the directory and attribute values-v displays the file or directory version

In Linux systems, if a user logs in with the privileges of root or a process runs with the privileges of root, then its permissions are no longer restricted. Therefore, it would be a disaster for an attacker to gain root privileges on the system through remote or local attacks. In this case, the file system will be the last line of defense to protect the system security. Reasonable attribute settings can minimize the damage caused by the attacker to the system. Locking some important files or directories of the system through the chattr command is the most direct and effective means to protect the file system security.

You can add "I" attributes to some important directories and files. Common files and directories are:

Chattr-R + I / bin / boot / lib / sbin

Chattr-R + I / usr/bin / usr/include / usr/lib / usr/sbinchattr + I / etc/passwd

Chattr + I / etc/shadow

Chattr + I / etc/hosts

Chattr + I / etc/resolv.conf

Chattr + I / etc/fstab

Chattr + I / etc/sudoers

You can add the "a" attribute to some important log files. Common ones are:

Chattr + a / var/log/messages

Chattr + a / var/log/wtmp

Locking important files can improve the security of the server, but it also brings some inconvenience. For example, the immutable and append-only attributes of directories and files may need to be removed during the installation and upgrade of the software. At the same time, setting the append-only attribute on log files may make log rotation (logrotate) impossible. Therefore, before using the chattr command, you need to weigh whether you need to set the immutable property and the append-only property against the server's application environment.

In addition, although modifying file properties through the chattr command can improve the security of the file system, it is not suitable for all directories. The chattr command cannot protect directories such as /, / dev, / tmp, / var, and so on.

The root directory cannot have an immutable attribute, because if the root directory has an immutable attribute, the system will not work at all: / dev during startup, syslog needs to delete and re-establish the / dev/log socket device. If the immutable attribute is set, there may be a problem. The / tmp directory will have many applications and system programs that need to create temporary files in this directory, and cannot set the unmodifiable attribute; / var is the log directory of the system and program. If it is set to an unmodifiable property, then the system log cannot be written, so it cannot be protected by the chattr command.

Although the security of / dev, / tmp, and other directories cannot be protected with the chattr command, there are other ways to do this, which will be described in more detail in this section.

II. Inspection and modification of file permissions

Incorrect permission settings directly threaten the security of the system, so operators should be able to find these incorrect permission settings in time and correct them immediately to prevent problems. Here are several ways to find unsafe permissions on the system.

(1) find files or directories that any user has write access to in the system: find /-type f-perm-2-o-perm-20 | xargs ls-al search directory: find /-type d-perm-2-o-perm-20 | xargs ls-ld (2) find all programs in the system that contain the "s" bit

Find /-type f-perm-4000-o-perm-2000-print | xargs ls-al programs with "s" bit permissions pose a great threat to system security. By looking for all programs with "s" bit permissions in the system, some unnecessary "s" bit programs can be removed, which can prevent users from abusing or upgrading permissions.

(3) check all suid and sgid files in the system

Find /-user root-perm-2000-print-exec md5sum {}\; find /-user root-perm-4000-print-exec md5sum

Save the results of the inspection to a file, which can be used as a reference in future system checks.

(4) check the documents in which there is no owner in the system

Find /-nouser-o-nogroup

Orphan files without owners are dangerous and often become tools used by hackers, so after finding these files, either delete or modify the owner of the file to make it in a secure state.

3. / tmp, / var/tmp, / dev/shm security settings

In Linux systems, there are two main directories or partitions for storing temporary files, namely / tmp and / var/tmp. What the directories or partitions that store temporary files have in common is that all users can read, write and execute, which leaves a security risk for the system. Attackers can put viruses or Trojan scripts under the directory of temporary files for information collection or camouflage, seriously affecting the security of the server. At this time, if you modify the read and write execution permissions of the temporary directory, it may also affect the normal operation of applications on the system, so if you want to strike a balance between the two directories or partitions, you need special settings for these two directories or partitions.

/ dev/shm is a shared memory device under Linux. When Linux starts, the system will load / dev/shm by default. The loaded / dev/shm uses the tmpfs file system, while tmpfs is an in-memory file system. The data stored in the tmpfs file system will completely reside in the RAM, so the system memory can be directly controlled through / dev/shm, which will be very dangerous. So how to ensure the security of / dev/shm is also very important.

For the security settings of / tmp, you need to see whether / tmp is a separate disk partition or a folder under the root partition. If / tmp is a separate disk partition, then the setting is very simple. Modify the mount properties of the / tmp partition in the / etc/fstab file, plus nosuid, noexec and nodev options. The modified mount attributes of the / tmp partition are similar to the following:

In LABEL=/tmp / tmp ext3 rw,nosuid,noexec,nodev 00, nosuid, noexec, nodev options indicate that no suid programs are allowed, no scripts and other programs can be executed in this partition, and there are no device files.

After the mount properties are set, re-mount the / tmp partition to ensure that the settings take effect.

For / var/tmp, if it is a separate partition, the setting method to install / tmp is to modify the / etc/fstab file; if it is a directory under the / var partition, you can move all the data under the / var/tmp directory to the / tmp partition, and then make a soft connection to / tmp under / var. That is, do the following:

[root@server ~] # mv / var/tmp/* / tmp

[root@server] # ln-s / tmp / var/tmp

If / tmp is a directory under the root directory, then the setup is a little more complicated. You can create a loopback file system to take advantage of the loopback feature of the Linux kernel to mount the file system to / tmp, and then specify the limit load option when mounting. An example of a simple operation is as follows:

[root@server ~] # dd if=/dev/zero of=/dev/tmpfs bs=1M count=10000 [root@server ~] # mke2fs-j / dev/tmpfs

[root@server ~] # cp-av / tmp / tmp.old

[root@server ~] # mount-o loop,noexec,nosuid,rw / dev/tmpfs / tmp [root@server ~] # chmod 1777 / tmp

[root@server] # mv-f / tmp.old/* / tmp/

[root@server ~] # rm-rf / tmp.old

Finally, edit / etc/fstab and add the following so that the system automatically loads the loopback file system at startup:

/ dev/tmpfs / tmp ext3 loop,nosuid,noexec,rw 0 0

To verify that the specified limit loading option takes effect when mounting, you can create a shell file in the / tmp partition as follows:

[root@tc193 tmp] # ls-al | grep shell

-rwxr-xr-x 1 root root 22 Oct 6 14:58 shell-test.sh [root@server ~] # pwd

/ tmp

[root@tc193 tmp] #. / shell-test.sh

-bash:. / shell-test.sh: Permission denied can see that although the file has executable properties, no files can be executed in the / tmp partition.

Finally, let's modify the security settings of / dev/shm. Since / dev/shm is a shared memory device, it can also be achieved by modifying the settings of the / etc/fstab file. By default, / dev/shm is loaded through the defaults option, which is not enough to ensure its security. Modify the mount attribute of / dev/shm as follows:

Tmpfs / dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Thank you for your reading, the above is the content of "how to modify the permissions and security settings of the file system in LINUX". After the study of this article, I believe you have a deeper understanding of how to modify the permissions and security settings of the file system in LINUX. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.