Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am just doing some R&D on Unified File System and my requirement is to hide the new mount point mointed with UFS should be hidden for some security reasons (without unmounting). Might be my requirement is strange. Please help me in getting the answer. if it is impossible then atleast show me the way to hide the files and directories under mount point (files and directories should not list out using any command).
ex :
Before mounting with UFS
# ls /dev/sdb
dir1 file1 link1
# ls /dev/sdc
dir1 dir4 link1
After mounting with UFS
mount -t unionfs -o dirs=/dev/sdb=rw:/dev/sdc=rw unionfs union2
# ls union2
dir1 dir4 file1 link1
Now files and and directories are merged.
but we can see the mount point and the files under it. How to hide this mounted directory ? orelse atleast hide the contents ? is there anyway to do it ?
Why would you want to hide mount points and/or its content? I'm not even sure this is possible.
If the system is set up correctly than the permissions on directories and files will make sure that a user cannot enter/view/edit/execute these. If the basic Unix/Linux permissions aren't good enough to do this you could use ACL's for a more fine-grained setup.
Hiding mount-points (and/or directories/files) is security by obscurity, which shouldn't be done. Don't hide it, make sure the permissions are set up correctly.
Last edited by druuna; 01-23-2014 at 07:35 AM.
Reason: set op --> set up
Well I will explain with an example why I need it.
assume there is a application which is performing I/O on that particular mount point and storing and reading some important data (data should not be stored in encrypted format as those files will be read and written much frequently. If we provide encryption layer in between then access will become slow). If user normally goes and does "ls" on that mount point then he can easily see the files which is not expected.
Basically if user does "ls" on the mount point, it should not display anything.
As you say, If I set permission on that then I/Os will get failed.
I did not say that. Up to this point I don't see anything that points to a security breach.
Quote:
assume there is a application which is performing I/O on that particular mount point and storing and reading some important data (data should not be stored in encrypted format as those files will be read and written much frequently. If we provide encryption layer in between then access will become slow). If user normally goes and does "ls" on that mount point then he can easily see the files which is not expected.
Basically if user does "ls" on the mount point, it should not display anything.
As you say, If I set permission on that then I/Os will get failed.
The approach you are after is wrong.
First of all:
- If the data used by the application is that important than you should separate it from other data,
- If the data is really, really important than it should be encrypted. Slowness isn't an issue (don't let the hardware dictate your specs, your specs should dictate the hardware).
Secondly: The permissions used (owner, group and world) on files and/or directories should be set according to rules about who is and who isn't allowed access. If, for example, the application data is owned by app1 and group apps and the world (others) do not have any permissions (example: 750 or 770) and normal users are not a member of the apps group than they cannot access the data owned by app1.
If a normal user does need legal access: Make that user member of the apps group.
BTW: Being able to use ls might(!!) not be a problem. They will only be able to see the file names and unless the file/directory names itself contain sensitive info, that might not be a problem.
When I mount with unionfs over 2 directories, both will be merged and there will be another mount point along with original mount.
If user creates a file on original mount point it will not be shown in unified mount point. So I dont want to showcase that original mount point.
In other words, original mount point should be hidden or files in that should be hidden (ls should not show anything). So that there will be unified view of both the directories.
In any case user should be able to browse files present in newly created (mounted with unionfs) mount point.
Hope, I am not pulling the things much and confusing.
Assume that there are two pendrives connected to linux machine.
and we can see both the pendrives connected.
I dont want to see two pendrives on my machine instead it should show only one pendrive which is of size (pendrive1 + pendrive2). Can we hide both and show only one storage ?
something like
when we attach a disk (without partition), we can see one disk. Once we logically divide the disk then there will be multiple disks and integrated disk view is not available.
You CAN hide a directory but it does require a kernel patch. http://grsecurity.net You will have to set up MAC on the system using grsecurity but you can define what directories can be seen by what users. The hiding of the directories happens at a kernel level so it is the one of the best approaches that you will find on hiding directories from users.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Apologies if this is out of turn as I don't keep up too much with this kind of thing but might there be some way to use the built-in AES instructions of modern processors to achieve almost transparent encryption? I think that was the aim of them.
@slimm609 : I have downloaded the patch "grsecurity-3.0-3.2.54-201401281850.patch" file from grtsecurity.net.
Getting more confliction when I applied on "linux-3.11". Can you please let me know which version of the kernel does it support ?
the filename will always contain the version of the kernel. In this case the one you downloaded is for 3.2.54 kernel.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.