\n<\/p>\n
Linux servers are a popular choice for hosting applications and services due to their stability, flexibility, and open-source nature. However, with great flexibility comes responsibility. As an administrator, you need to ensure that your systems are secure from potential security breaches and unauthorized access. One of the critical areas where permissions can be tightened is in the <\/p>\n <\/p>\n The <\/p>\n While <\/p>\n <\/p>\n Data Exposure<\/strong>: \n<\/li>\n <\/p>\n Malicious Changes<\/strong>: Non-root users should not have the ability to modify kernel settings that could affect the stability and security of the entire system.<\/p>\n \n<\/li>\n <\/p>\n \n<\/ol>\n <\/p>\n <\/p>\n <\/p>\n Before implementing any changes, it’s essential to review the current permissions on the <\/p>\n <\/p>\n You will typically see it has <\/p>\n <\/p>\n Identify which parts of <\/p>\n <\/p>\n <\/p>\n \n<\/ul>\n <\/p>\n Focusing on these areas will allow you to apply granular permission changes.<\/p>\n <\/p>\n <\/p>\n Create a specific user group that will have limited access to <\/p>\n <\/p>\n Add users who require limited access to manage their permissions without giving them full root capabilities.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Using Linux permissions allows you to change who can read and write to specific directories. However, it’s crucial to approach this cautiously:<\/p>\n <\/p>\n Use ACLs (Access Control Lists)<\/strong>: Instead of changing the ownership of directories or files, consider using ACLs.<\/p>\n <\/p>\n Install <\/p>\n <\/p>\n Then, set permissions for the <\/p>\n <\/p>\n This command will restrict the group \n<\/li>\n <\/p>\n Restrict Writes<\/strong>: In general, restrict write access more strictly. You might set default permissions that are read-only for non-root users:<\/p>\n <\/p>\n \n<\/li>\n \n<\/ol>\n <\/p>\n <\/p>\n Once you’ve made changes, continuously monitor access to <\/p>\n <\/p>\n Configure it to track access to <\/p>\n <\/p>\n This will log all read, write, execute, and attribute changes to the <\/p>\n <\/p>\n The final step in securing your Linux server involves periodic reviews. Conduct regular audits to check for unauthorized changes in permissions and ensure that the intended access restrictions remain in place. If necessary, perform penetration testing to identify any potential vulnerabilities that could be exploited by non-root users.<\/p>\n <\/p>\n <\/p>\n Securing your Linux server by limiting access to sensitive areas like <\/p>\n Remember that maintaining security is an ongoing process. Regularly update your security protocols and stay informed about potential vulnerabilities in the Linux ecosystem. By taking these proactive steps, you can help protect your Linux server and its valuable data from malicious attackers.<\/p>\n <\/p>\n For more articles and tips on securing your Linux server, stay connected with WafaTech Blog!<\/p>\n\n","protected":false},"excerpt":{"rendered":" Linux servers are a popular choice for hosting applications and services due to their stability, flexibility, and open-source nature. However, with great flexibility comes responsibility. As an administrator, you need to ensure that your systems are secure from potential security breaches and unauthorized access. One of the critical areas where permissions can be tightened is […]<\/p>\n","protected":false},"author":2,"featured_media":1776,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[22],"tags":[273,1126,265,1132,264,266,1131,871],"class_list":["post-1775","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-security","tag-access","tag-limiting","tag-linux","tag-nonroot","tag-securing","tag-server","tag-sys","tag-users","et-has-post-format-content","et_post_format-et-post-format-standard"],"yoast_head":"\n\/sys<\/code> filesystem, which exposes a wealth of kernel and device information. In this article, we will explore practical techniques to limit access to \/sys<\/code> for non-root users, enhancing the overall security of your Linux server.<\/p>\nUnderstanding the \/sys Filesystem<\/h2>\n
\/sys<\/code> filesystem is a virtual filesystem in Linux that provides a view into the kernel’s view of the system. It is part of the sysfs interface and exposes various kernel parameters, device drivers, and hardware configurations in a hierarchical structure.<\/p>\n\/sys<\/code> is useful for debugging and monitoring, it can also be a target for malicious users who may want to gain insights into the system’s inner workings. Limiting access to \/sys<\/code> can help shield sensitive information and restrict user actions that could harm the system.<\/p>\nWhy Limit Non-Root Access?<\/h2>\n
<\/p>\n
\/sys<\/code> contains information about hardware configurations, processor details, and system parameters that could be useful for an attacker.<\/p>\n\/sys<\/code>.<\/li>\nSteps to Limit \/sys Access for Non-Root Users<\/h2>\n
Step 1: Review Current Permissions<\/h3>\n
\/sys<\/code> filesystem.<\/p>\nls -ld \/sys<\/code><\/pre>\ndr-xr-xr-x<\/code> permissions for users, meaning that anyone can read but cannot write to the files. It\u2019s important to understand this baseline before making adjustments.<\/p>\nStep 2: Identify Sensitive Areas<\/h3>\n
\/sys<\/code> are particularly sensitive. Here are a few examples:<\/p>\n<\/p>\n
\/sys\/class<\/code>: Exposes device information.<\/li>\n\/sys\/kernel<\/code>: Contains kernel parameters.<\/li>\n\/sys\/module<\/code>: Exposes loaded kernel modules.<\/li>\nStep 3: Create User Groups<\/h3>\n
\/sys<\/code>. For example, you might create a group named sysusers<\/code>.<\/p>\nsudo groupadd sysusers<\/code><\/pre>\nsudo usermod -aG sysusers username<\/code><\/pre>\nStep 4: Modify Permissions with Caution<\/h3>\n
<\/p>\n
acl<\/code> if it\u2019s not available:<\/p>\nsudo apt install acl<\/code><\/pre>\nsysusers<\/code> group:<\/p>\nsudo setfacl -m g:sysusers:rx \/sys\/class<\/code><\/pre>\nsysusers<\/code> to read and execute permissions on the \/sys\/class<\/code> directory.<\/p>\nsudo chmod o-w \/sys<\/code><\/pre>\nStep 5: Monitor Access<\/h3>\n
\/sys<\/code> using tools such as auditd<\/code>. Install auditd<\/code> if it\u2019s not already set up:<\/p>\nsudo apt install auditd<\/code><\/pre>\n\/sys<\/code>:<\/p>\nsudo auditctl -w \/sys -p rwxa<\/code><\/pre>\n\/sys<\/code> filesystem.<\/p>\nStep 6: Regular Reviews and Penetration Testing<\/h3>\n
Conclusion<\/h2>\n
\/sys<\/code> is a crucial aspect of maintaining a robust security posture. By reviewing current permissions, creating user groups, modifying access controls, and implementing monitoring, you can significantly reduce the risk posed by unauthorized access.<\/p>\n