Banking

Use the find utility to scan for writable directories

It's good to have a policy for what permissions should and should not be allowed for users of a system within your area of responsibility. It's even better to be absolutely sure the policy is being executed properly.

If you understand basic Unix file permissions and resolve to ensure that users will not have read and (especially) write permissions for any directories and files for which they do not need them, only the first step toward secure filesystem permissions management has been taken. What exactly you need to do after that will vary from case to case, but if you are the sysadmin for multi-user systems, managing default Unix file permissions with adduser and umask might be exactly what you need.

As early as possible though, and regularly afterward, you should audit filesystem permissions. It is better to be safe than sorry, and just as it is important to perform regular filesystem audits, it is also important to audit filesystem permissions as well. A good place to start is to check your system for directories with group or world write permissions. Some directories should definitely have group write permissions on most Unix systems; far less likely is a directory that should have world write permissions, so that any user account can write to them, on a well-secured Unix system.

Luckily, it is pretty easy to scan a system for directories that have group or world write permissions on BSD Unix and Linux-based systems, if you use the tools you have at your fingertips on a default install. To get verbose output for an audit of directory group and world write permissions across the entire system, the following command works well:

# find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Certain characters need to be escaped with backslashes so that they will not be interpreted directly by the shell. The above command must be run as root to ensure a read of the complete system. If you want to run it on only part of the filesystem, replace the / used to denote the system root directory with the path to whatever part of the filesystem you wish to check, and if the contents of that directory are fully accessible to a user account with less extensive permissions than the root account, that unprivileged account can be used to run the command instead.

The -type d part of the command ensures that the find utility ignores non-directory files on the system.

The key to the command is the part between parentheses:

-perm -g+w -or -perm -o+w

The -perm -g+w checks each file for group write permission. Replace -g+w with -o+w, and it checks for "other" (or "world") write permission instead. Thus, tying these two expressions together with a "logical or" operator -- -or in this case -- ensures that the find command will hunt down every file on the system that has either group or world write permissions. The -g+w and -o+w correspond to the symbolic permission syntax used by the chmod utility, and more can be read about that syntax in the chmod manpage.

The -exec option with the {} token attached, as explained in the find manpage, allows another command to be executed for each file find iterates over. In this case, the ls -adl command is applied to each of the group and world writable directories found by the find command. The -exec option's command must be terminated by a semicolon, or it will fail with a message like the following:

find: -exec: no terminating ";" or "+"

Of course, figuring out various ways this example find command can be altered to suit specific purposes, and determining which directories should be group or world writable, are tasks left as an exercise for the reader. The find manpage is full of information that can help you sort it out.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

8 comments
mikifinaz1
mikifinaz1

In the Winx world scripts can be developed to string together several commands to make a tool. If you were going to do this in the UNIX / LINUX world; what would you do? For instance, I have a script that scans all the files and folders on a system, lists a specific type of extension file, compares the names and dates, then deletes the older version. I use it to get rid of junk. So, starting from the beginning why would you want to use these tools? What is the reason, the issue you are trying to address? What at the component commands and why did you select them over other possibilities? At what point do you pipe input and output or adjust the switches/input to search for or change various permissions? Starting from and overview of scenarios what tools have you made to do what tasks? Then how do you build them, step by step to get the job done?

Neon Samurai
Neon Samurai

# find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \; should be # find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \; The first will return a "bash: unexpected (" without the missing backslash characters. It tripped me up for a minute so I thought I'd share. Find is a utility I really need to look at more. Another trick is to combine Find and Grep: find /home/user | grep "filenamebit" This basically replicates Locate but can be a handy.

apotheon
apotheon

In the Winx world scripts can be developed to string together several commands to make a tool. If you were going to do this in the UNIX / LINUX world; what would you do? How exactly do you mean that? Are you talking about a batch file? Are you talking about using pipes and redirects at the command line? Either approach works fine, though the "batch file" in the Unix world would be called a "shell script". As for using pipes and redirects -- well, MS DOS/Windows originally got that stuff from Unix, and didn't fully implement the sort of capabilities we have in the Unix world. So, starting from the beginning why would you want to use these tools? What is the reason, the issue you are trying to address? What at the component commands and why did you select them over other possibilities? At what point do you pipe input and output or adjust the switches/input to search for or change various permissions? Starting from and overview of scenarios what tools have you made to do what tasks? Then how do you build them, step by step to get the job done? Um. What? It seems like you're asking me to write an entire book about the reasons for writing scripts, how to write them, when to write them, what tools to use, and what development process is "best" (or perhaps explain several development processes and let you pick one). Can you see how this sounds like it should be a 600 page O'Reilly book rather than a TR article or discussion forum post?

apotheon
apotheon

1. I didn't notice there were comments here until today. Sorry 'bout that. 2. I had the backslashes in my article. They must have been stripped out by the WordPress visual text editor when TR's editor looked at it and published it. Sorry 'bout that, too.

mikel.king
mikel.king

Good catch Neon. I tried the original in both bash and tcsh and you escaped parens did the trick. Still a very nice article over all, we tend to forget about these built-in UNIX tools over time. m!

mike.cannady
mike.cannady

Your code ignores the possiblity of a directory appearing to be world-writable but isn't. You would have to check the permissions of each parent directory node to see if you have x (cd) rights. If you don't, you can't get into the directory to do the writing.

Neon Samurai
Neon Samurai

I didn't realize that there had been a second or more post to the discussion until now and wordpress chewing the given text string is pretty understandable given the number of "?" apostrophes and such that turn up in comments. I was just looking to save someone else a few seconds of confusion when trying it at home.

Neon Samurai
Neon Samurai

Good to know. I'm relearning find myself so my only intent was to include the two missing escape "\" chars since the given command returned an error when I tried it.

Editor's Picks