File and filesystem security

File verification tools

The ability to guarantee that files have not been tampered with is important when ensuring that an attacker has not planted 'trojan' programs that can cause damage or security breaches at a later time.

Package tools: rpm and dpkg

The distribution tools that come with Redhat (rpm) and Debian (dpkg) have the ability to verify the contents of any package installed on the system, checking a number of characteristics of each file, including ownership, size, type, permissions and an MD5 checksum.

For example, the following command verifies the wu-ftpd FTP package, and shows that some configuration files (labelled with a c prefix) have had their MD5 checksums modified (5) and the last file has also had its timestamp (T) modified:

        <~/>% rpm -V wu-ftpd

        ..5..... c /etc/ftpaccess
        ..5..... c /etc/ftpconversions
        ..5..... c /etc/ftpgroups
        ..5..... c /etc/ftphosts
        ..5....T c /etc/ftpusers   


The tripwire tool is a more generic authentication tool that is highly flexible. The initial tripwire run creates a database, which should be stored off-site, that contains authentication information on selected files and directories (such as /etc, /bin and /usr/bin). Subsequent tripwire runs will report any discrepancies between the database and the current state of the system.

This is highly useful for ensuring that files have not been modified, especially if the files did not originate from an rpm or dpkg package, or if you are using an older distribution, such as Slackware.


If you are not using a verification tool, such as rpm or tripwire, you can still prevent important system binaries from being modified if the files are on an ext2 filesystem (the default filesystem for Linux).

The chattr tool allows the root user to change the attributes of files on an ext2 filesystem, and the +i flag makes the file immutable. To quote the man page:

A file with the `i' attribute cannot be modified: it can not be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.

This can be useful to prevent people from exploiting holes in programs like finger or sendmail from overwriting binaries, even when they don't have root access.

File and filesystem security/encryption

The ability to securely protect files, or even complete filesystems, is very attractive for many people.

For example, salespeople can carry sensitive client information in the field on a laptop with an encrypted filesystem, without the fear of that data becoming public should the laptop be stolen.


The classic file encryption tool is PGP, which is a public key encryption tool, ideal for securely transferring files or e-mail between people.

The typical command line for encrypting files is:

        pgp -e [options] file user ... 

Encrypted loop devices

The Linux kernel has had built-in support for encrypted filesystems since the 1.3 kernel series. Using encrypted loop devices, it is trivial to create encrypted filesystems that are easily mounted when required. This is ideal for securely storing sensitive data, such as commercial source code or customer databases.

The losetup tool is used to create the loop device, with either simple (but fast) XOR encryption or the more secure, but slow, DES encryption. There are eight loopback devices (/dev/loopN, N = 0..8), allowing up to eight different simultaneous encrypted filesystems.

To make a 1M encrypted file system, make sure you have loopback device support compiled into your kernel (and loop.o loaded if you have compiled it as a module):

        dd if=/dev/zero of=/secure bs=1k count=1024
        /sbin/losetup -e des /dev/loop0 /secure

        Password: <enter your password here>
        Init (up to 16 hex digits):  <enter a hex initialisation code here>
        mkfs -t ext2 /dev/loop0 1024

Once the filesystem has been created, it can then be mounted like any other filesystem:

        mount -t ext2 /dev/loop0 /mnt/secure

        umount /dev/loop0
        /sbin/losetup -d /dev/loop0      


TCFS is a secure extension to NFS, working in kernel space to give seamless encryption at the file level. This allows you to encrypt a filesystem that contains sensitive data, knowing that if the computer is ever stolen or illegally accessed, the encrypted data is secure.

CFS is another filesystem encryption tool, developed by Matt Blaze in the US (and therefore under export limitations) that encrypts a directory that is mounted with a special key to provide access to the encrypted files in the directory.

Debian and Redhat packages for CFS (and lots of other nice crypto tools) can be obtained outside the USA and Canada from the Replay FTP site in the Netherlands.

Prev | Home | Next