Writable files and directories

Group and world writable files and directories particularly system files partitions, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including some from the /dev, /var/catman directories, and all symbolic links on your system. To locate all group & world-writable files on your system, use the command:

          # find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;

To locate all group & world-writable directories on your system, use the command:

          # find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;

General filesystem security rules are very simple and can be formulated as following:

No world-writable dot files.

No world-writable files on UFS filesystems.

Proper mounting attibutes

No abandoned "nouser/nogroup" files

In our environment we blindly reset other bits using a script that is running from cron (or, more correctly, "should reset" ) but in yours such an approach might lead to undesirable effects.

So the following probably will be a more smooth way to proceed:

1. Find all files that have such attributes, excluding those in /tmp, /proc and other pseudo-filesystems (like /var/run in Solaris; I am not a big AIX specialist: I work mostly with Solaris ). For example :

I have Perl script to do this but as for ksh the simplest way to do it would probably be via pipes:

1. Create the new list using find

2. concat it with the old list

3. sort it

4. do uniq with count option (-c)

5. select those records that have prefix 1

Something like

find . -perm -o=w -type f -xdev > /root/new.lst

cat /root/old.lst /root/new.lst | sort | uniq -c | grep -v ' 2 ' | tee /root/delta_worldwritable_files`/usr/bin/date +%Y%m%d` \

| mail "New worldwritable files at $HOSTNAME" bezroun@basf-corp.com

mv /root/old.lst status`/usr/bin/date +%Y%m%d`

cp /root/new.lst /root/old.lst

It probably would be better to use diff instead of this trick with sort | uniq

for part in `awk '($4 == "ufs") {print $3 }' /etc/vfstab`

find $part -perm +o=w -type f -xdev -exec ls -l ';'

done

2. Compare findings with prev status for the server (for example using diff) and create Tivoli alerts for any new files found.

3. [Optional] Reset permissions on all world-writable dot files, suid/sguid files and those files that are located in the root directory ( I am trying to enforce moving root account to /root directory on our severs but we are not here yet) as well as in /opt and /usr subtrees (you can modify those recommendations based on your understanding of the environment).

Again, feel free to modify this specification based on your knowledge on environment and exclude those areas of filesystem where resetting world writable bits are unrealistic/harmful to do.

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Created: May 16, 1997; Last modified: February 19, 2009