Skip to main content

Fighting Linux Rootkits

Recently having had an unpleasant experience with a rootkit that was installed in /var/tmp, better security measures were clearly needed.

Unfortunately, /tmp and /var/tmp are world-writable by necessity and are the favorite target of rookit users. It would be nice to have some sort of protection on these directories and the easiest way is to mount a filesystem image using the loopback device and mount it with noexec and nosuid options via /etc/fstab.

Create the file system image, change its permissions with chmod 1777 and keep it in /boot; 1,200,000 512-byte blocks should be a good size and not waste too much disk space for small files. If your needs are different, adjust accordingly.

# dd if=/dev/zero of=/boot/tmp.img bs=512 count=1200000

This produces a disk size of roughly 300M.

The filesystem format chosen for this particular task is Reiserfs because it handles large amounts of smaller files very well. We need to use the -f option because the file is not a block special device. If the system normally does not use the reiserfs module (in this case it does), use /usr/sbin/modprobe to load it and then run /usr/sbin /depmod -a. Add reiserfs to /etc/modprobe.preload to make sure Reiserfs support is up and running right away . You could also create a new /boot/init.rd containing reiserfs. Since you may use any Linux filesystem format you chose, the safe choice might be the filesystem format of your root partition, so probably EXT2 (EXT3 without journaling) would be a good choice.

# mkreiserfs -f /boot/tmp.img

or

# mke2fs -f /boot/tmp.img

Then edit /etc/fstab to add the following lines. The same image file will be mounted at two places on the filesystem tree.

/boot/tmp.img /tmp reiserfs loop,notail,noexec,nosuid,rw 0 0
/boot/tmp.img /var/tmp reiserfs loop,notail,noexec,nosuid,rw 0 0

Examine /tmp and /var/tmp for necessary files because mounting tmp.img will make them unavailable, but still on the disk. The files in /tmp are usually created at startup. KDE keeps user cache files in /var/tmp and they will be re-created automatically, but might be fairly large, so either temporarily copy them someplace safe, or delete them since they'll still be there taking up space even though tmp.img is covering them up. The directory /usr/tmp is a symlink to /var/tmp so nothing is needed for that directory. Or you could mount the image, copy the files to it, un-mount it and then just mount the image at and /tmp/var/tmp. So many choices.

If you run into trouble, it's easiest to re-boot the computer so the proper files and symlinks are created in /tmp.

If you have multiple partitions and have little space in / but lots of space in /home, place the tmp.img file there instead to free up disk space. Actually, using one of those older small, <2gb style="font-weight: bold;" face="courier new">nosuid and noexec as /tmp is a good idea as well.

Extending this idea further, you could image entire directories as .iso images and mount them, creating read-only filesystems that cannot be hacked.

If you want to test this for effectiveness, copy a small executable to /tmp and then attempt to execute it. Watch what happens: Permission denied !

Comments

Popular posts from this blog

DOS4GW.EXE Version 2.01a and Alternative DOS Extenders

DOS4GW.EXE The Tenberry DOS extender DOS4GW.EXE was used by many early DOS games. I still enjoy playing many of these games and DOS4GW.EXE is usable with DOSBox , so they can be played on Linux. However, the version of DOS4GW.EXE that was included with the game was whatever was current at the time. The most recent version that includes many bugfixes that possibly affected the games when used with DOSBox have been fixed in the latest version, 2.01a. It's not free at US$49, but you can downloaded it here . Simply substitute it for whatever version of DOS4GW.EXE your game provided and enjoy the bug-fixed goodness. Tenberry also makes a "high-performance" "pro" version of DOS4GW.EXE, but it costs $300. I think that they could sell quite a few of these to hobby users (since, you know, DOS is dead) for US$5. Open Souce to the Rescue There are better performing, free and Open Source alternatives available and worth a look. DPMI Explained Let's unders

Return to Castle Wolfenstein for Modern Linux

Return to Castle Wolfenstein is a first-person shooter originally released on November 19, 2001. The game, like many other classic games, is available at GOG.com and costs only US$5.99. iortcw for Linux Don't bother with old and crusty Linux binaries offered by idsoft; they are problematic and it's painful to use them on a modern Linux. Fortunately for us, there are more modern GPL-licensed Linux binaries available for 32- and 64-bit systems as well as high resolution textures packages. The project at GitHub provides source code that can also be compiled for MS Windows using MinGW. iortcw for Windows and Mac You can download pre-compiled binaries for 32- and 64-bit Linux, MS Windows and Mac from here . Let's put our files in /usr/local/games/rtcw . As root, extract the downloaded .ZIP file for your architecture to  /usr/local/games/rtcw . All we are missing are the game data files. I purchased them from GOG.com. The game installer downloaded from GOG.com can be

Unreal Tournament GOTY/UT99 for Modern Linux

Released on November 16, 1999, Unreal Tournament (also known as UT99) is an arena first-person shooter for Multiplayer on-line competition or you can play against bots off-line. It features several game types, with more details provided at Wikipedia . The game was re-released on February 25, 2000 as Unreal Tournament Game of the Year Edition (GOTY) which included the three bonus packs released previously and additional mods, or game modifiers that had become popular. It is the GOTY version that is available from STEAM or  GOG.com . The GOG version for Windows installs in Linux and plays well using WINE , PlayOnLinux or Codeweaver's Crossover . There is a Linux binary available in two versions, one for the original game and one for the GOTY edition . Also provided at that site is the Official Bonus Pack with a Linux installer. All these Linux installers are created with makeself . There are some issues using such a crusty old Linux binary. Let's see why getting a Lin