Use the find utility to scan for writable directories

It's good to have a policy for what permissions should and should not be allowed for users of a system within your area of responsibility. It's even better to be absolutely sure the policy is being executed properly.

If you understand basic Unix file permissions and resolve to ensure that users will not have read and (especially) write permissions for any directories and files for which they do not need them, only the first step toward secure filesystem permissions management has been taken. What exactly you need to do after that will vary from case to case, but if you are the sysadmin for multi-user systems, managing default Unix file permissions with adduser and umask might be exactly what you need.

As early as possible though, and regularly afterward, you should audit filesystem permissions. It is better to be safe than sorry, and just as it is important to perform regular filesystem audits, it is also important to audit filesystem permissions as well. A good place to start is to check your system for directories with group or world write permissions. Some directories should definitely have group write permissions on most Unix systems; far less likely is a directory that should have world write permissions, so that any user account can write to them, on a well-secured Unix system.

Luckily, it is pretty easy to scan a system for directories that have group or world write permissions on BSD Unix and Linux-based systems, if you use the tools you have at your fingertips on a default install. To get verbose output for an audit of directory group and world write permissions across the entire system, the following command works well:

# find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Certain characters need to be escaped with backslashes so that they will not be interpreted directly by the shell. The above command must be run as root to ensure a read of the complete system. If you want to run it on only part of the filesystem, replace the / used to denote the system root directory with the path to whatever part of the filesystem you wish to check, and if the contents of that directory are fully accessible to a user account with less extensive permissions than the root account, that unprivileged account can be used to run the command instead.

The -type d part of the command ensures that the find utility ignores non-directory files on the system.

The key to the command is the part between parentheses:

-perm -g+w -or -perm -o+w

The -perm -g+w checks each file for group write permission. Replace -g+w with -o+w, and it checks for "other" (or "world") write permission instead. Thus, tying these two expressions together with a "logical or" operator -- -or in this case -- ensures that the find command will hunt down every file on the system that has either group or world write permissions. The -g+w and -o+w correspond to the symbolic permission syntax used by the chmod utility, and more can be read about that syntax in the chmod manpage.

The -exec option with the {} token attached, as explained in the find manpage, allows another command to be executed for each file find iterates over. In this case, the ls -adl command is applied to each of the group and world writable directories found by the find command. The -exec option's command must be terminated by a semicolon, or it will fail with a message like the following:

find: -exec: no terminating ";" or "+"

Of course, figuring out various ways this example find command can be altered to suit specific purposes, and determining which directories should be group or world writable, are tasks left as an exercise for the reader. The find manpage is full of information that can help you sort it out.