| View previous topic :: View next topic |
| Author |
Message |
ermor
n00b
Joined: 05 Jan 2025
Posts: 15
|
 Posted: Sun Mar 30, 2025 4:01 pm Post subject: World/grp writable, SUID/SGID files to be set to root/wheel |
 |
|
Hello everyone,
I'm trying to implement as much of the Security Handbook (https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions) as I can, and the section on file permissions say that I should change permissions of certain critical files to root (or presumably, wheel, since I'll have to deactivate the root user at the end).
However, I'm not sure which ones I should edit. I suspected doing it in a batch would be a bad idea, and other discussions seem to confirm it (https://forums.gentoo.org/viewtopic-t-189571-start-0.html and https://forums.gentoo.org/viewtopic-t-372360-start-0.html), but it's a bit vague which ones are concerned beyond "password files, configuration files and possibly other files that should only be used by root". Is there some sort of pattern that would allow me to guess which are only used by root, and which are also critical for normal users? I don't want to edit permissions for... say... crontab, only to be told that I needed to keep it world writable because regular users access it in the background or some such. Sorry if this is a dumb question, I'm not too used to digging into root files, generally speaking. |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Sun Mar 30, 2025 4:35 pm Post subject: |
|
|
ermor,
There is only one dumb question. That's the one you never ask. You run the risk of never knowing the answer.
Why are you following the Security Handbook?
What threats are you trying to defend against?
Do your threat analysis then deploy appropriate defences.
Keep in mind that security is like the layers of an onion. It's not to defeat determined well funded attackers. It's to make make life a difficult as possible far an attacker to do anything useful.
That leads to the security ease of use compromise. You will have to pick your balance point there. That's why the Security Handbook is a bit vague.
e.g. you can mount /tmp and /home noexec. Your users may hate you as they will not be able to install and run anything.
/tmp should already be noexec as its writeable by everyone.
You can add nodev and nosuid for good measure.
The first step in securing your system is your threat analysis.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 15
|
| Posted: Sun Mar 30, 2025 5:15 pm Post subject: |
|
|
| NeddySeagoon wrote: |
Why are you following the Security Handbook?
What threats are you trying to defend against?
Do your threat analysis then deploy appropriate defences.
Keep in mind that security is like the layers of an onion. It's not to defeat determined well funded attackers. It's to make make life a difficult as possible far an attacker to do anything useful.
That leads to the security ease of use compromise. You will have to pick your balance point there. That's why the Security Handbook is a bit vague.
e.g. you can mount /tmp and /home noexec. Your users may hate you as they will not be able to install and run anything.
/tmp should already be noexec as its writeable by everyone.
You can add nodev and nosuid for good measure.
The first step in securing your system is your threat analysis. |
Hello, NeddySeagoon,
I'm a single desktop user who's trying to make his system as secure as possible, without impeding day-to-day operation excessively. I installed Secure Boot recently, and I was looking into encrypting my root partition but I realized I probably should have done it from the beginning, so I guess I'll wait for the day I have to install Gentoo on a "real" system rather than a VM.
I'm a bit intrigued by what you said about /tmp already being noexec. In the section regarding mounting partitions (https://wiki.gentoo.org/wiki/Security_Handbook/Mounting_partitions), they say that mounting /tmp noexec could "prevent certain legitimate scripts from executing properly", and since it was a bit too vague there too and I was afraid of breaking something I skipped that part. That, and there's also the fact I followed the DPS UEFI PARTUUID in the Installation Handbook(https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#DPS_UEFI_PARTUUID). I haven't mounted a /tmp partition specifically, just the efi and the root (didn't care much for the swap), but I do have the /tmp directory in root. Should I mount it following the Security Handbook example in "Mounting partitions"? Can a partition even be a sub partition of another one? I just looked it up and what I found suggest that I can, and I'm tempted to try...
EDIT: I implemented the /tmp example in question, and it rebooted. So far, so good. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23343
|
| Posted: Sun Mar 30, 2025 6:39 pm Post subject: |
|
|
I use noexec on /tmp and have not had any problems. I vaguely recall that certain third-party scripts for installing blobs from the Internet tend to break with this, but in my opinion, those scripts are almost always garbage anyway, so I consider breaking them to be a positive thing.
Yes, you can get noexec on a directory that is not a filesystem root, by way of a bind mount. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Sun Mar 30, 2025 6:48 pm Post subject: |
|
|
ermor,
A long time ago /tmp was a a real on disk filesystem. For many years its been in tmpfs. That is, a piece of RAM, so that it starts off empty every boot.
| df -Th: | Filesystem Type Size Used Avail Use% Mounted on
tmpfs tmpfs 63G 32K 63G 1% /tmp |
It's default maximum size is 50% of RAM but the space is not reserved.
Anything than wants both write and execute permissions in /tmp is considered broken by design. Please report a bug if you find something.
Noexec on /tmp stops spammers executing a mail server there. They can still set it up. if they break in, but not execute it, so it never sends any spam.
| ermor wrote: | | ... as secure as possible ... |
against what?
What security/usability trade offs are you prepared to make?
If you change file permissions now, the changes will be reverted with your regular updates, as things are updated.
Do you have a paranoid firewall, rather than a half open one that allows anything out?
Paranoid means REJECT all outgoing, then allow things that you want. Likewise, DROP all incoming and allow the things you want..
The idea is to stop the bad guys phoning home if they do get in.
Mine also blocks Android phoning home too :)
REJECT generates error messages to the sender.
DROP throws the packet away with no message, just like you weren't there.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 15
|
| Posted: Mon Mar 31, 2025 6:58 pm Post subject: |
|
|
| Hu wrote: | | Yes, you can get noexec on a directory that is not a filesystem root, by way of a bind mount. |
Thanks for the explanation. Didn't set it up correctly the first time in my fstab, but I looked up bind mounts and it seems to be working now.
| NeddySeagoon wrote: | | A long time ago /tmp was a a real on disk filesystem. For many years its been in tmpfs. That is, a piece of RAM, so that it starts off empty every boot. |
Interestingly, when I run "findmnt -–real" with my setup, it shows /tmp as a xfs file system, even though I mounted it as tmpfs. Not sure if this is the way it's supposed to appear, or if it's because I'm bind mounting it on a preexisting xfs partition.
| NeddySeagoon wrote: |
against what?
What security/usability trade offs are you prepared to make?
If you change file permissions now, the changes will be reverted with your regular updates, as things are updated. |
Mostly random remote threats, since it will be an internet-facing device. The kind of malware a regular user could pick up by browsing the web. Sorry if this is a bit vague, my own conception of security up to that point was keeping things up to date, not downloading just anything I found and run Malwarebytes and an antivirus on anything I did download. It's the first time I actually try to go in depth. I didn't want to setup Secure Boot to start with an external key because I'm a bit paranoid about drive failure and random data corruption and I was worried the key would randomly fail and lock me out of my computer. The "non-invasive" install is fine by me. I've tried to look a bit further into the process, but I'm mostly taking things one at a time and figuring how much I'm willing to put with (and how frustrating a hardened install can potentially get) as I go.
Presumably, I don't need too much, judging by my usage. I mostly game and browse the internet. I've been thinking about creating two users, one in the wheel group I'd use to do anything "serious" and install/upgrade things, and another outside of wheel I'd use when gaming or browsing the internet normally, but I don't know if this is a naive way of looking at things, it just made sense with what I read in the later parts of the installation handbook.
For the permissions, I figured I'd try to read a pattern of what should be made root/wheel only and build a script that would automate it for me (and would only be usable by root/wheel), but that may be naive too.
| NeddySeagoon wrote: |
Do you have a paranoid firewall, rather than a half open one that allows anything out?
Paranoid means REJECT all outgoing, then allow things that you want. Likewise, DROP all incoming and allow the things you want..
The idea is to stop the bad guys phoning home if they do get in.
Mine also blocks Android phoning home too 
REJECT generates error messages to the sender.
DROP throws the packet away with no message, just like you weren't there. |
I haven't gotten to the firewall part yet. Right now I'm not really doing anything with the VM besides tinkering with it and setting it up, so I figured it could wait a bit. Might be the next thing I look into, though, that or the Linux Security Modules section of the Security Handbook. I'll keep in mind what you said when I get to it! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
