Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I hide files in an ext2/3 file system from ls -a and friends? I know about renaming the file to ".foo", but I want to do more than that--prevent listing together
Only use this when you have the legal right to: for example, you own the system. Otherwise, this is a very nasty thing to do, and quite likely illegal
There is a really strange way to do this... but it is a hack, and can cause problems to find your files again, and a very, very, very alert sysadmin could find this file, and then would know that something is up, as this is just about the only case where such a situation would exist.
1)Make a normal file... "touch test"
2)Make a process that will keep the file open forever (if this program stops, then the file will be gone) (see the example c++ program below)
Run the program in a way such as "nohup ./keepopen&" as this will give you the process number, and you can log-out and it will not die.
3)run "unlink test"
---At this point, your file will not show up in ls -a---
4)Run "cat /proc/<process id>/fd/3" to read your file, where process id is the process id of the program that is keeping the file open (when you come back sometime later)
Downsides to this:
1) When the system restarts, your file goes away.
2) If the process you are using to keep the file open goes away, so does the file.
3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.
In many cases, if the program you want to use outputs text (for example a logging program), then you can just use that program, and you do not need your own. However, if you want to keep some text around that nobody can see, try this program (just compile it):
Code:
#include <iostream>
#include <fstream>
using namespace std;
int main() {
ofstream keepopen;
keepopen.open("test",ios::app);
while(true)
{
usleep(1000000);
}
}
If someone thinks that this is too close to hacking to be allowed around here, feel free to delete the post, or tell me to delete it. I am not really sure where to draw the line on something like this, as it half seems like hacking, and half seems like a strange, but OK thing to do. Any ideas?
You can put the files in a directory and remove all read permissions from that directory. Then any attempt to look into it will give you a "permissions denied" error instead of a listing. You won't be able to hide the directory itself though, only the files it holds.
How can I hide files in an ext2/3 file system from ls -a and friends?
Any particular reason why you would want this?
I think the opened file is a nice one. but 3) My systems all scan for files like this... by looking at the output of the file command that says deleted file. Any systems that I lock-down do this also. I would bet I am the only one, however. Note to other SysAdmins out there: You really should scan for things like this.
this functionality was added to Rootkit Hunter 1.2.9 and has been in Tiger for years.
Hiding in slack space is cool but Bmap didn't work for me on Ext3. Oh well. Other ways could be blocking access with a with SELinux or GRSecurity RBAC rule (reboot w/o ruleset), piggybacking the file to another one by catting it, using steganography or as ELF section (check hash), using some PRELOAD (unset if account rights) or using an LKM.
Well mr Watson, since you said you read the fine manual, pray tell, what extended attribute provides (or did provide several years ago) this feature?
I don't remember. It probably wasn't an extended attribute. It was a long time ago. This thread can be closed. All that I remember is that there was an extended attribute that was really cool. I thought that it was hiding a file. It was probably the immutable flag though.
I just want to reiterate that this was a very long time ago. I was probably just confused about what I was doing.
If you're the owner of the machine, and it runs Linux, and you know how to compile a kernel, you may look at the gobohide kernel patch, from the GoboLinux distribution: http://www.gobolinux.org/index.php?p...icles/gobohide
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
