5.10 Configuring File System Mounts, File Permissions, and File Ownerships

Use separate disk partitions for operating system and user data to prevent a file system full issue from impacting the operation of a server. For example, you might create separate partitions for /home, /tmp, p, /oracle, and so on.

Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.

To prevent the operating system files and utilities from being altered during an attack, mount the /usr file system read-only. If you need to update any RPMs on the file system, use the -o remount,rw option with the mount command to remount /usr for both read and write access. After performing the update, use the -o remount,ro option to return the /usr file system to read-only mode.

To limit user access to non-root local file systems such as /tmp or removable storage partitions, specify the -o noexec, nosuid, nodev options to mount. These option prevent the execution of binaries (but not scripts), prevent the setuid bit from having any effect, and prevent the use of device files.

Use the find command to check for unowned files and directories on each file system, for example:

# find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;
# find mount_point -mount -type d -nouser -o -nogroup -exec ls -l {} \;

Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.

Use the find command to check for world-writable directories on each file system, for example:

# find mount_point -mount -type d -perm /o+w -exec ls -l {} \;

Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.

You can also use find to check for setuid and setgid executables.

# find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

If the setuid and setgid bits are set, an executable can perform a task that requires other rights, such as root privileges. However, buffer overrun attacks can exploit such executables to run unauthorized code with the rights of the exploited process.

If you want to stop a setuid and setgid executable from being used by non-root users, you can use the following commands to unset the setuid or setgid bit:

# chmod u-s file
# chmod g-s file

For example, you could use the chmod command to unset the setuid bit for the /bin/ping6 command:

# ls -al /bin/ping6
-rwsr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6
# chmod u-s /bin/ping6
# ls -al /bin/ping6
-rwxr-xr-x. 1 root root 36488 May 20  2011 /bin/ping6

The following table lists programs for which you might want to consider unsetting setuid and setgid:

Program File

Bit Set

Description of Usage



Sends an ICMP ECHO_REQUEST to a network host.



Sends an ICMPv6 ECHO_REQUEST to a network host.



Runs a task in a control group.



Mounts an NFS file system.


/sbin/mount.nfs4, /sbin/umount.nfs, and /sbin/umount.nfs4 are symbolic links to this file.



Requests notification of changes to network interfaces.



Finds out password aging information (via the -l option).



Changes finger information.



Changes the login shell.



Edits, lists, or removes a crontab file.



Sends a system-wide message.



Sends a message to another user.



Invokes the X Windows server.



Runs the SSH helper program for host-based authentication.



Switches user before executing external CGI and SSI programs. This program is intended to be used by the Apache HTTP server. For more information, see http://httpd.apache.org/docs/2.2/suexec.html.



Controls network interfaces. Permission for a user to alter the state of a network inerface also requires USERCTL=yes to be set in the interface file. You can also grant users and groups the privilege to run the ip command by creating a suitable entry in the /etc/sudoers file.


This list is not exhaustive as many optional packages contain setuid and setgid programs.