[Nottingham] (Mandrake 9.0) Linux security help please
BUNTER MATTHEW
nottingham at mailman.lug.org.uk
Mon Jan 20 16:23:01 2003
--- Re=E7u de VITEUR.BUNTERMA 04 72 96 57 77 20/01/03 17=
.21
Martin,
If a user can use df then they can see the mounted partitions. Taking
away the executable ability of df for other would probably stop this. No=
t
sure if this would change for some sort of df GUI.
Other things you can do.
You can unmount any partitions that you don't want looked at.
You can make certain partitions read only.
You can stop any executables being run from a partition.
You can disable SUID/SGID functionality.
The place to look is /etc/fstab - this is the file to be edited to chang=
e
the attribute of mounted filesystems.
e.g.
#df -k
<snipage>
LABEL=3D/windows1 /windows1 vfat defaults 1 2
(it may be slightly different in your case)
If you want read only for this partition then vi the file to read :
LABEL=3D/windows1 /windows1 ext2 defaults,ro 1 2
Once you edit this file it will be done for each boot. You will however
be able to unmount and remount filesystems with the other security
options that mount has as long as you are root - try man mount or man
fstab. Not sure how well mount deals with NTFS - I recall there were
problems though these may have been resolved.
Remember to do a
mount /windows1 -oremount
for the change to take effect
Test with
cat /proc/mounts
to see that /windows1 has the ro attribute.
Remember if you make /boot read only you won't be able to change/upgrade
the kernel. Therefore keep a copy of the old fstab for reference.
Soft links
ln -s /tmp /home/tmp
ln -s /var /home/var
>From what I have read /tmp and /var should be separate partitions.
I'd like to know where you saw crontab listed to be disabled. Each user
on the system has their own crontab file. Since you specify a file or
command to run then the permissions are taken care of. If someone tries
to run a script that writes over /etc/shadow then the permissions of
/etc/shadow will thwart it - unless the root users crontab is running th=
e
script. Better explanation anyone?
I've seen a few recommendations to disable "at". I have done and in my
limited experience haven't had any probs.
All mount info above was stolen from the excellent Securing and
Optimizing Linux version 2 available at tldp.org - recommended for any
security questions you may have.
When you've figured out firewalls let me know, there are things about
iptables rules that I don't quite grasp.
Rgs,
Matt
------------------------------------------------------------------------=
-
Date: Mon, 20 Jan 2003 13:51:20 +0000
Subject: [Nottingham] (Mandrake 9.0) Linux security help please
While my reading up on Linux continues...
For increased online security, I wish to limit filesystem access for an
'online use' user account (I've just got ntl broadband that I want to
use with a Mandrake 9.0 Linux box):
1: There are a few windows partitions that are automatically mounted and
are automatically r/w for all users. How do I make these mounts
inaccessible/invisible for one or more users?
2a: I've read that /, /boot, and /usr should be mounted read-only for
increased security. How should this be done automatically but without
locking up the system?
2b: I've got the following partitions allocated: /, /boot, /usr, /home
and swap. I've set / to be small (500Mb-ish). How do I get such as /tmp
and /var linked over to somewhere on /home (a few Gb big) so that / can
be read-only and won't be threatened with getting full if I start
spooling big printouts? (My worry is to do it such that the boot-up
sequence is not knackered by how things get mounted/linked...)
3: I've seen crontab/at listed (amongst others) as things to be disabled
for security. Why? (To stop 'time bombs' being set?)
....Meanwhile, firewalls (Shorewall) are the next exciting read.
Advice welcome.
Thanks,
Martin
--
----------------
Martin Lomas
martin@ml1.co.uk
----------------
_______________________________________________
Nottingham mailing list
Nottingham@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/nottingham
---- 20/01/03 17.21 ---- Envoy=E9 =E0 -----------------------------=
-----
-> nottingham(a)mailman.lug.org.uk