CHAPTER 5

Filesystems,
Volumes, and
Encryption

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain user account management,  Filesystem organization and
configure file permissions and mounting options
filesystem settings, enforce
 How options for journals, formats,
encryption, and secure Linux
and file sizes affect security
services.
 Encrypting files, directories,
partitions, and volumes
 Local and network file and folder
permissions
 Filesystem quotas and access
control lists (ACLs)
Filesystem Organization

 All data stored as files

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Filesystem specifies how files are stored, marked, and retrieved
 Filesystems may be local or remote
 Linux has a defined structure for some directory names, which includes the
expected contents of those directories
The Filesystem Hierarchy Standard (FHS)

 The way files and directories are organized on a Linux system

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Directories may be dedicated to different functions:
 Boot process
 User files
 Logs
 Command
 Utilities
 Directories that belong with the root directory: /bin/, /dev/, /etc/, /lib/, and /sbin/
 Some are listed as virtual directories; nothing is stored in the filesystem on disk.
 These directories only have contents if the system is running because the kernel
populates the information at boot time.
Important Filesystem Hierarchy Standard Directories
(1 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
/ Top-level root directory, always mounted separately

/bin/ Basic command-line utilities; should always be a part of /

Linux kernel, initial RAM disk, bootloader files; frequently mounted
/boot/
separately
/dev/ Device files for hardware and software; should always be part of /

/etc/ Configuration files; should always be part of /

Home directories for every regular user; frequently mounted
/home/
separately
/lib/ Program libraries; should always be part of /
Important Filesystem Hierarchy Standard Directories
(2 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Standard mount point for removable media such as CD/DVD drives
/media/ and universal serial bus (USB) keys; may also be used for other
volumes such as a directory formatted to a Microsoft file system
Common legacy mount point for removable media and temporary
/mnt/
filesystems
Common location for some third-party applications; may be empty
/opt/
and can be mounted separately
/proc/ Virtual directory that contains information about running processes
The home directory for the root administrative user; should always be
/root/
part of /
Runtime data, which would commonly be variable; may include files
/run/
or other information associated to processes that are executing
Important Filesystem Hierarchy Standard Directories
(3 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
/sbin/ Primarily for administrative commands; should always be part of /
Directory commonly used for network services such as those that
/srv/
share using FTP and HTTP; may be helpful to mount separately
/sys/ Has information about devices, drivers, and some kernel information
Common location for temporary files; if the /tmp/ filesystem is full,
/tmp/
users cannot log into the GUI
Read-only user data, including the executables and other associated
/usr/
files
Log files, print spools; some distributions use it for network service
/var/ files; may be helpful to mount separately; is variable data, which
means the files may grow or shrink
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Contents of the /proc Directory
Good Volume Organization Can Help Protect a System
(1 of 2)

 Mount point
 A directory that effectively becomes a shortcut to an external device

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Partition
 A way to segment a drive
 Can have multiple partitions on a drive
 Volume
 A single entity that can be formatted with a filesystem
 Can be a partition, a portion of a multi-disk storage device like a redundant
array of independent disks (RAID) system, a storage area network (SAN),
etc.
 Volumes mounted as noexec prevent anything from executing from it
Good Volume Organization Can Help Protect a System
(2 of 2)

 Directories safe to use as mount points:

 /boot/

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /home/
 /opt/
 /srv/
 /tmp/
 /var/
Read-Only Mount Points

 Can mount a volume or partition in read-only mode

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Read-only mount points can make it more difficult for malicious users to do real
damage to systems
 Three directory candidates for mounting in read-only mode:
 /boot/, /opt/, and /usr/

 Possible read-only configuration directive for the /boot/ directory in the /etc/fstab
configuration file:
 /dev/sda1 /boot ext2 ro,exec,auto,nouser,async 1 2
How Options for Journals, Formats, and File Sizes Affect
Security

 Filesystem journals
 Keeps track of transactions that have been applied to the filesystem

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Enable transactions to be checked against filesystem data to ensure
integrity
 Journaled filesystems keep track of changes to be written
 Journaling is supported starting with filesystem ext3
 Not all filesystems that Linux supports are journaled

 A filesystem partition identifier and a filesystem format are not the same thing.
 When fdisk creates a partition, it assumes you’re using the standard Linux
partition ID of 83. If you’re setting up a different kind of partition, you’ll need to
know different partition types.
Partition Types

 82: The Linux swap partition is used for partitions dedicated to swap space.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 83: The Linux partition is used for standard partitions with data.
 85: The Linux extended partition can contain logical partitions.
 8e: The Linux LVM partition configures a partition that can be used as a
component of a logical volume.
 fd: The Linux RAID auto partition specifies partitions that can be used as
components of a RAID array.
 Most Linux partitions with data are of type 83. If you want to format a partition to
the ext2, ext3, ext4, reiserfs, or xfs filesystems, you’ll want to configure a
partition of type 83.
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Linux Partition Type Identifiers
The Right Format Choice

 ext2: The second extended filesystem does not include journaling. Because the
partition associated with the /boot/ directory can be small, it may be well suited

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
to the ext2 filesystem. Writes to that partition are infrequent.
 ext3: The third extended filesystem writes data to a journal before writing it to
the actual filesystem. Because the system writes to file twice, performance is
slower.
 ext4: The fourth extended filesystem is suited for filesystems with some large
files. It includes a defragmentation tool.
 Other major Linux filesystems include variations on journaling: xfs, ZFS, and
reiserfs
Available Format Tools

 The mkfs command and variations

 Commands for formatting and building a Linux filesystem

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Use to format
 Linux filesystems
 Microsoft VFAT and NTFS filesystems
 Apple Hierarchical Filesystem (HFS)
 Swap partitions (mkswap command)
Using Encryption

 Encryption tools  Encrypted files

 Kernel space  Passphrase

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 User space  Public/private key pair

Linux File-Encryption Commands

COMMAND DESCRIPTION
7z While 7z is known as a zip utility, meaning it compresses files, it can also
encrypt files using AES-256.

bcrypt Uses the blowfish encryption algorithm, based on a passphrase.

ccrypt Uses the U.S. Advanced Encryption Standard (AES); uses passphrases.
gpg Users may select from different encryption algorithms; may use
passphrases or public and private key pairs.
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Gpg Prompt for Passphrase
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Gpg Prompt for Passphrase (Second Time)
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Encrypted Home Directory
Encrypted Partitions and Volumes

 Red Hat–enabled filesystem encryption during installation

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Uses the Linux unified key setup (LUKS) disk-encryption specification
Encrypting a Partition or Volume

1. Create the partition, logical volume, or RAID array to be encrypted.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
2. Fill the device with random data. For example:
# dd if=/dev/urandom of=/dev/vda1
3. Format the device with the cryptsetup command using the noted LUKS
extension:
# cryptsetup luksFormat /dev/vda1
4. Verify detailed encryption information for the noted device:
# cryptsetup luksDump /dev/vda1
5. Set up a device name to be used when the volume is decrypted during the
boot process:
# cryptsetup luksOpen /dev/vda1 secret
Local File and Folder Permissions

 Ownership and permissions

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Make up the standard discretionary access control system
 File permissions elementary part of Linux security
 Everything in Linux is a file
 Output from the ls -l command provides all needed info
 A dash (-) indicates a regular file
 d indicates a directory
 l indicates a soft-linked file
 These basic file and folder permissions are one method of discretionary access
control (DAC)
 Access control lists (ACLs) are a second level of DAC
Basic File Ownership Concepts (1 of 2)

 Every file has two owners: a user and a group.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 If your Linux distribution uses a user private group scheme, every user is a
member of a group of the same name.
 Any user can be a member of any group.
 Take a look at this output from the ls -l /var/log/cups/access_log
command:
-rw-r----- 1 root adm 30853 Oct 12 18:55 access_log
 The user owner of this file is root, and the group owner of this file is adm.
Basic File Ownership Concepts (2 of 2)

 File ownership in Linux can be modified with the chown and chgrp commands.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The chown command changes the identity of the user who owns a file.
 The chgrp command changes the identity of the group that owns a file.
 Example: # chown adelle.users somefile
 For both commands, the -R switch changes ownership recursively.
Basic File-Permission Concepts (1 of 3)

 Standard Linux file permissions can be assigned in three categories:

 User owner

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Group owner
 All other users on the local system

 In short, these categories are known as user, group, and others.

 Each file may be configured with read, write, and execute permissions for the
user, the group, and world (also known as every other user on the system).
Basic File-Permission Concepts (2 of 3)

 Examine the output from an ls -l command on a hypothetical directory:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
drwxr-xr-- 1 root project 100387 Mar 10 12:43 project

 The first d confirms this is a directory.

 The nine characters that follow specify the permissions for the user, group, and
world or others.
 The first trio of characters is rwx, which specifies that the owner, the root
administrative user, has read, write, and execute permissions on the project/
directory.
Basic File-Permission Concepts (3 of 3)

 Examine the output from an ls -l command on a hypothetical directory

(cont.):

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
drwxr-xr-- 1 root project 100387 Mar 10 12:43 project

 The second trio of characters is r-x, which specifies that the group that owns
the directory—the project group—has read and execute permissions on that
directory.
 The last trio of characters is r--, provides read permissions to all other users
(world) on that directory.
Changing File Permissions (1 of 2)

 You can use the chmod command to change file permissions.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The most efficient way to use chmod is based on an octal representation of the
permissions of the user owner, group owner, and other users.
 Each type may or may not have read, write, and execute permissions.
 That’s three bits. In a binary system, 2^3 = 8, which is why such permissions
can be represented octally.
PERMISSION NUMERICAL REPRESENTATION
r 4
w 2
x 1
Changing File Permissions (2 of 2)

 The user owner of a file can use the chmod command to change permissions
on a file.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 To change the permissions for the user, group, and others in a file, you need
three numbers.
 For example, look at the following command, where localfile is some
arbitrary file in the local directory:
$ chmod 754 localfile
Networked File and Folder Permissions

 Services
 Network File System (NFS)

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Samba
 File Transfer Protocol (FTP)
NFS Issues

 NFS prevents some security issues such as root administrative access to files
and directories

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unknown users (and local root administrative user) are redirected to accounts
like nobody or nfsnobody
 Different user authentication databases may experience problems due to
different user ID (UID) values
 NFS-based ACLs can override standard read, write, and executable
permissions for files on shared directories
Samba/CIFS Network Permissions (1 of 2)

 smb.conf
 The main Samba configuration file

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Located in the /etc/samba/ directory
 Split into two sections, “Global Settings” and “Share Definitions”
 Standard share is of user home directories
 Associated with the [homes] stanza
 Configured options supersede any regular local permissions for the shared
files and directories
Samba/CIFS Network Permissions (2 of 2)

 If you’ve set up write access in your Samba configuration file, the following
directives apply to the creation of files and directories:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 create mask value sets up read and write permissions for user owner of
new files
 directory mask value sets up read, write, and execute permissions for
user owner of new directories
Samba Directives Related to Shared Directories

SAMBA DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
acl check permissions Checks ACL-based permissions from a Microsoft client

acl group control Allows users of a group owner to change permissions and ACLs

admin users Lists users with full administrative privileges

Configures the share so no password is required;synonymous with
guest ok
public
Sets hostnames or Internet Protocol (IP) addresses of allowed
hosts allow
systems; opposite of hosts deny
locking Supports a lock file to prevent simultaneous access to the same file

path Sets a directory path for the share

printer admin Lists users allowed to administer printers

write list Lists users allowed read-write access to a share

vsftp Security-Related Service Directives (1 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
anon_upload_enable Allows uploads by anonymous users; can be set to NO
Allows anonymous users to create directories; can be
anon_mkdir_write_enable
set to NO
Sets up a list of users who are limited to their home
chroot_list_file
directories
local_umask Configures permissions for created files and directories
Specifies the pluggable authentication module (PAM)
pam_service_name
configuration file in the /etc/pam.d/ directory
vsftp Security-Related Service Directives (2 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
rsa_cert_file Specifies the RSA certificate file
rsa_private_key_file Specifies the file with the RSA private key
Configures a directory that should not be writable by the
secure_chroot_dir
ftp user
userlist_enable Configures a list to allow or deny users
Allows users to write to a server; can also apply to
write_enable
anonymous users
Configuring and Implementing Quotas on a Filesystem
(1 of 2)

 Quotas
 Limit the resources taken by a user or by a group of users

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Protect the space available on critical directories
 Help limit the damage if one of the accounts on your system has been
compromised
Configuring and Implementing Quotas on a Filesystem
(2 of 2)

 Step 1
 Configure filesystem to allow quotas in /etc/fstab using the command:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /dev/sda2 /home ext4 defaults,usrquota,grpquota 1 2
 Step 2
 Remount the home filesystem using the command:
 mount -o remount /home
 Step 3
 Initialize the quota database using the command:
 quotacheck –cugm /home
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Editing a User Quota
 Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Quota Grace Periods
How to Configure and Implement Access Control Lists
on a Filesystem

 Access control list (ACL)

 Allows you to set different permissions for specific users and groups

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Provides a second level of discretionary access control
 ACL support in Linux is mature
 ACL support available for the standard Linux filesystems and directories shared
through NFS
Configure a Filesystem for ACLs

 The process is similar to configuring a filesystem for quotas.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Two standard ACL commands are getfacl and setfacl.
 To implement ACL permanently, configure it on appropriate filesystems in the
/etc/fstab configuration file.
 Filesystems requiring custom access are good candidates for ACLs.
 The /home/ directory is a prime candidate for customization.
ACL Commands

 u:user:permissions filename
 Sets ACL permissions for the specified user, by username or UID number

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 g:group:permissions filename
 Sets ACL permissions for the specified group, by group name or GID
number
 m:permissions filename
 Sets the standard effective rights mask for ACL permissions for users and
groups
 o:permissions filename
 Sets ACL permissions for users who are not members of the group that
owns the file
Best Practices: Filesystems, Volumes, and Encryption
(1 of 3)

 Understanding FHS is key to understanding which directories can be mounted

and those that should be mounted on different filesystems.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The right filesystem format helps protect in case of compromise by a malicious
user.
 Journaling filesystems can speed recovery in case of problems.
 Encrypt individual files, directories, and entire filesystems.
Best Practices: Filesystems, Volumes, and Encryption
(2 of 3)

 Local file and folder permissions provide one level of discretionary access
control.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 File and folder permissions differ when shared over a network.
 Quotas can limit damage in case of data exposure.
 Quotas can limit the amount of space or number of inodes taken by a user or
group.
Best Practices: Filesystems, Volumes, and Encryption
(3 of 3)

 Users and groups can be reviewed with regular quota reports.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 With ACLs, you can implement discretionary access controls to another level.
 Depending on configuration, ACL rules can be configured for specific users and
access limited to key files and directories.
Summary

 Filesystem organization and mounting options

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 How options for journals, formats, and file sizes affect security
 Encrypting files, directories, partitions, and volumes
 Local and network file and folder permissions
 Filesystem quotas and access control lists (ACLs)