5.10 Configuring File System Mounts, File Permissions, and File Ownerships

Use separate disk partitions for operating system and user data to prevent a file system full issue from impacting the operation of a server. For example, you might create separate partitions for /home, /tmp, p, /oracle, and so on.

Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.

To prevent the operating system files and utilities from being altered during an attack, mount the /usr file system read-only. If you need to update any RPMs on the file system, use the -o remount,rw option with the mount command to remount /usr for both read and write access. After performing the update, use the -o remount,ro option to return the /usr file system to read-only mode.

To limit user access to non-root local file systems such as /tmp or removable storage partitions, specify the -o noexec, nosuid, nodev options to mount. These option prevent the execution of binaries (but not scripts), prevent the setuid bit from having any effect, and prevent the use of device files.

Use the find command to check for unowned files and directories on each file system, for example:

# find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;
# find mount_point -mount -type d -nouser -o -nogroup -exec ls -l {} \;

Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.

Use the find command to check for world-writable directories on each file system, for example:

# find mount_point -mount -type d -perm /o+w -exec ls -l {} \;

Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.

You can also use find to check for setuid and setgid executables.

# find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

If the setuid and setgid bits are set, an executable can perform a task that requires other rights, such as root privileges. However, buffer overrun attacks can exploit such executables to run unauthorized code with the rights of the exploited process.

If you want to stop a setuid and setgid executable from being used by non-root users, you can use the following commands to unset the setuid or setgid bit:

# chmod u-s file
# chmod g-s file

For example, you could use the chmod command to unset the setuid bit for the /bin/ping6 command:

# ls -al /bin/ping6
-rwsr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6
# chmod u-s /bin/ping6
# ls -al /bin/ping6
-rwxr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6

The following table lists programs for which you might want to consider unsetting setuid and setgid:

Program File

Bit Set

Description of Usage

/bin/ping

setuid

Sends an ICMP ECHO_REQUEST to a network host.

/bin/ping6

setuid

Sends an ICMPv6 ECHO_REQUEST to a network host.

/bin/cgexec

setgid

Runs a task in a control group.

/sbin/mount.nfs

setuid

Mounts an NFS file system.

Note

/sbin/mount.nfs4, /sbin/umount.nfs, and /sbin/umount.nfs4 are symbolic links to this file.

/sbin/netreport

setgid

Requests notification of changes to network interfaces.

/usr/bin/chage

setuid

Finds out password aging information (via the -l option).

/usr/bin/chfn

setuid

Changes finger information.

/usr/bin/chsh

setuid

Changes the login shell.

/usr/bin/crontab

setuid

Edits, lists, or removes a crontab file.

/usr/bin/wall

setgid

Sends a system-wide message.

/usr/bin/write

setgid

Sends a message to another user.

/usr/bin/Xorg

setuid

Invokes the X Windows server.

/usr/libexec/openssh/ssh-keysign

setuid

Runs the SSH helper program for host-based authentication.

/usr/sbin/suexec

setuid

Switches user before executing external CGI and SSI programs. This program is intended to be used by the Apache HTTP server. For more information, see http://httpd.apache.org/docs/2.2/suexec.html.

/usr/sbin/usernetctl

setuid

Controls network interfaces. Permission for a user to alter the state of a network inerface also requires USERCTL=yes to be set in the interface file. You can also grant users and groups the privilege to run the ip command by creating a suitable entry in the /etc/sudoers file.

Note

This list is not exhaustive as many optional packages contain setuid and setgid programs.