# hardened filesystem permissions

## lutel

Hi,

I would like to share this little scripts which harends permissions on all of my servers (no problems so far)

```
chmod -R go-rwx /boot /root /home

chmod a+x /home

chmod -R go-rwx /etc

chmod a+x /etc /etc/wget /etc/security

chmod a+r /etc/passwd /etc/group /etc/DIR_COLORS /etc/profile.env /etc/inputrc /etc/resolv.conf /etc/security/limits.conf /etc/services /etc/wget/wgetrc /etc

/screenrc /etc/hosts /etc/hostname 2>/dev/null

chmod a+rx /etc/profile 2>/dev/null

chmod g+r /etc/sudoers

chown named:named /etc/bind

chown squid:squid /etc/squid

chown snort:snort /etc/snort

chmod -R go-rwx /var/log

chmod g+rw /var/log/wtmp

chmod g+rwxs /var/log/portage

for f in `find / -perm +u+s -type f -uid 0 -or -perm +g+s -type f -gid 0`; do

 echo "Remove SUID `ls -al $f` (y/n)" ?

 read -n 1 -s keypress

 if [ "$keypress" = "y" ]; then

  echo "remove SUID from: `ls -al $f`" | logger

  chmod a-s $f

 fi;

done

```

best regards

Tomek

----------

## spudicus

I've got a similar one (which is a bit chaotically laid out) that may also be of use,

however, it assumes/requires the / partition to be ex2/3 when using the chattr command.

If certain permissions cause problems, figure out what does work and add/alter the permissions script, revert to original permissions then try running the premissions script again. This script is only a starting point, and will more than likely need slight alterations to suit individuals needs.

```
#!/bin/bash

r_only="/boot /sbin /usr/sbin/* /usr/local/sbin" #Accessible only by root

w_ex="/* /bin /usr/* /usr/local/* /home"

if [ "$(mount | grep /boot)" = "" ]; then

    mount /boot -o rw

fi

for i in "/bin /root $r_only"; do

  chattr -VR  -i $i

  if [ "$i" -ne "/bin" ]; then

    chown -cR root:root $i

    chmod -cR 0700 $i

  fi

done

#Change top level, usr and local directories to only be world executable

for i in $w_ex; do

    chown -c root:root $i

    chmod -c 711 $i

done

chmod -cR 755 /bin

chmod -c 755 /usr/sbin

chmod -c 755 /usr/bin

chown -cR :proc /proc

chmod -cR g+r /proc

chown -cR portage:portage /usr/portage

chown -cR portage:portage /var/tmp/portage

#Add sticky to /tmp 

chmod -c 1717 /tmp

chmod -c 1717 /var/tmp

chmod -c 0644 /var/run/utmp

chown root:utmp /var/run/screen

chmod -Rc 0700 /var/run/screen

chmod -c 0777 /var/run/screen

chown -Rc log /var/log/

chmod -Rc 0755 /var/log/

chown -Rc log:portage /var/log/portage

chmod -Rc 0755 /var/log/portage

chmod -c 0644 /var/log/wtmp

chown -c root:wheel /sbin

chown -c root:wheel /sbin/ifconfig

chmod -c 0710 /sbin

chmod -c 2710 /sbin/ifconfig

for i in {ssh_host_dsa_key,ssh_host_key,ssh_host_rsa_key}; do

    chown -c root:root /etc/ssh/$i

    chmod -c 700 /etc/ssh/$i

    chattr -V +i /etc/ssh/$i

done

#Ensure /etc/ is writeable only by root and some subdirectories only readable by

# owning group.

chown -cR root:root /etc

chmod -cR 755 /etc/*

chown -cR root:sshd /etc/ssh

chown -cR root:snort /etc/snort

if [ ! -d "/var/log/snort" ]; then

    mkdir /var/log/snort

fi

chown -cR log:snort /var/log/snort

chmod -cR 660 /var/log/snort

#Allow squid to access it's config directories

chown -cR root:squid /etc/squid

chown -cR root:squid /usr/lib/squid

chmod -cR 770 /usr/lib/squid

#Root only access

for i in {cron*,secur*,shadow*,init.d,runlevels,modules*,firewall*,fstab,ssh,snort,squid}; do

    chmod -cR 700 /etc/$i

done

chmod -c 0440 /etc/sudoers

chmod -Rc ug-s /*

chmod -c 6755 /bin/su

for i in {gpg,procmail,xtrlock,xscreensaver,sudo}; do

    chmod -c 4111 /usr/bin/$i

done

for i in {bin/vmware,bin/vmware-ping,lib/bin/vmware-vmx}; do

  chmod -c 4115 /opt/vmware/$i

done

chmod -c 4111 /usr/X11R6/bin/Xwrapper

chown -cR root:audio /usr/local/mp3

chmod -Rc 771 /usr/local/mp3

for i in "/bin $r_only"; do

        chattr -VR +i $i

done

if [ "$(mount | grep /boot)" != "" ]; then

    umount /boot

fi

```

To unlock the lsattr settings I use:

```
#!/bin/bash

r_only="/boot /sbin /usr/sbin /usr/local/sbin" #Accessible only by root

#

if [ "$(mount | grep /boot)" = "" ]; then

    mount /boot -o rw

fi

#

for i in "/bin $r_only"; do

  chattr -VR  -i $i

done

if [ "$(mount | grep /boot)" != "" ]; then

    umount /boot

fi

```

Mine is definitely a work in progress... So please refrain from to much flaming   :Smile: 

I've also got a script (another work in progress) that records the permissions for all files

which can be used prior to major hardening as reference for backing out:

```
#!/bin/bash

file="./perm.orig"  

##

#Determine which file to write to.

#If first run use perm.orig, otherwise use perm.$DATE

##

if [ -e $file ]; then

    file="perm.$(date +"%H-%M_%d-%m-%y")"

fi

##

#Determine which filesystems aren't mounted and add to $fstab then mount.

#This could be done a lot simpler by force mounting everything (mount -a) then mounting

#any filesystem with the noauto switch, however, this remembers which device was mounted

#so it can be unmounted later, returning the system to it's previous condition

##

for i in $(egrep -v \(^none\|^#\) /etc/fstab |egrep -o [[:space:]]\(/\\w\*\)\+); do

    if [[ "$i" != "/" && -z `egrep -o [[:space:]]$i[[:space:]] /etc/mtab` ]]; then

        fstab="$fstab $i"

        mount $i

    fi

done

##

#Get a list of files owned by each group

##

find / ! \( -fstype proc -prune \) -a ! \( -fstype sysfs -prune \) -a -printf "%U:%G:%m:/%P\n" > $file

##

#Unmount devices mounted for check

##  

for i in $fstab; do

    umount $i

done

```

And to restore permissions I use the following C program:

```
#include <stdio.h>

#include <unistd.h>

#include <sys/types.h>

#include <sys/stat.h>

int main(int argc, char **argv){

  char in [1600];

  char filename [sizeof in];

  int  owner, group, mode;

  FILE *f = fopen(argv[1],"r");

  while(fgets(in,sizeof in,f)){

    sscanf(in, "%d:%d:%o:%s", &owner, &group, &mode, filename);

    chown(filename,owner,group);

    chmod(filename,mode);

  }

  return 0;

}

```

Compiled with:

```
gcc -O3 -Wall -ansi -o fix fix.c
```

and run using a permissions file created with the above script

```
./fix perm.orig

or

./fix perm_DATE
```

Obviously all the above need to be run su/sudo root.

[disclaimer] I'm a BASH/hardening noob. There are definitely better ways of doing these.[/disclaimer].

----------

## louman

i was just thinking of doing something similarly myself, but i feel that i'm a n00b as well. i have moderate experience with bash scripting but hardly any with real system administration. i just wanted to start securing up my services a bit since i'm starting to use them and let others use them. i'll read through these scripts and maybe i'll learn something. thanks for posting your work guys  :Smile: 

----------

