Use the find utility to scan for writable directories | IT Security | TechRepublic.com

Use the find utility to scan for writable directories

• Date: December 31st, 2009
• Author: Chad Perrin
• Category: Access Control, Authorization, Policy, Security
• Tags: Directory, Audit, Permission, File System, Chad Perrin
• 
  

3 comment(s)

• Email
• Save
• Share
  • Digg
  • Yahoo! Buzz
  • Twitter
  • Facebook
  • Google
  • del.icio.us
  • StumbleUpon
  • Reddit
  • Newsvine
  • Technorati
  • LinkedIn
• Print
• Recommend
• 5

It’s good to have a policy for what permissions should and should not be allowed for users of a system within your area of responsibility. It’s even better to be absolutely sure the policy is being executed properly.

---

If you understand basic Unix file permissions and resolve to ensure that users will not have read and (especially) write permissions for any directories and files for which they do not need them, only the first step toward secure filesystem permissions management has been taken. What exactly you need to do after that will vary from case to case, but if you are the sysadmin for multi-user systems, managing default Unix file permissions with adduser and umask might be exactly what you need.

As early as possible though, and regularly afterward, you should audit filesystem permissions. It is better to be safe than sorry, and just as it is important to perform regular filesystem audits, it is also important to audit filesystem permissions as well. A good place to start is to check your system for directories with group or world write permissions. Some directories should definitely have group write permissions on most Unix systems; far less likely is a directory that should have world write permissions, so that any user account can write to them, on a well-secured Unix system.

Luckily, it is pretty easy to scan a system for directories that have group or world write permissions on BSD Unix and Linux-based systems, if you use the tools you have at your fingertips on a default install. To get verbose output for an audit of directory group and world write permissions across the entire system, the following command works well:

# find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \; 

Certain characters need to be escaped with backslashes so that they will not be interpreted directly by the shell. The above command must be run as root to ensure a read of the complete system. If you want to run it on only part of the filesystem, replace the / used to denote the system root directory with the path to whatever part of the filesystem you wish to check, and if the contents of that directory are fully accessible to a user account with less extensive permissions than the root account, that unprivileged account can be used to run the command instead.

Read more...
http://blogs.techrepublic.com.com/security/?p=2890&tag=nl.e101

--

God Bless,

Don

Check out my Web Pages and Blog’s too...

Don's Music and Poems at DonSongs.com

DonSongs! Download Both Albums in MP3's Free! Also, there's Pages of my Songs, Poems and Pic’s of me and friends:>) www.DonSongs.com

DonSongs New Site With Music Players for Both Albums and New Page Design...

Download The Whole Living Beings - Climate Control Album Free!:) We have our New Album Out Now! With me, Don Bishop doing Vocals and Lyrics and Marty Splawn Playing all the Music! And You can Download the whole Album Free!

http://bishopco.com/LivingBeings/LivingBeings-ClimateControl-mp3.html

And here’s an alternative Living Beings download site that also has smaller 64Kbps M3U versions for Dialup connections and it has Streams of the complete album too if you just want to listen online without saving the MP3’s. http://www.archive.org/details/DonBishopLivingBeingsClimateControl

Living Beings Blog has some MP3 Song clips from our Living Beings - Climate Control album. Also, I put up some of my favorite Pic’s. http://livingbeings.blogspirit.com/

And here’s an alternative DonSongs download site that also has smaller 64Kbps M3U versions for Dialup connections and it has Streams of the complete album too if you just want to listen online without saving the MP3’s. http://www.archive.org/details/DonBishopDonSongs002

CMU - Christian Music Underground

CMU was started by Don Bishop to share the music of myself and of course the rest of you guys who are among the non commercial artists out there who work hard at their music and want to Glorify, Praise and Share the Love of our Lord Jesus.

http://christianrocker.com/index.php?mode=player&type=radio&id=79

DonSongs Blog... This is a Collection of Songs written & Sung by Don Bishop from 01-1991 to 03-2002.http://donsongs.blogspirit.com/

I need help starting a ministry for Kids. Do you love Kids and Teenagers? If you feel a calling on your life to help the least of these grow up and learn to live and love and believe in Jesus, then please check out our vision.

Psalms 68 Ministries http://www.Psalms68.com

My Web Site’s Business Page, the Entry Point for all the rest. My New Site is at http://bishopco.com/mambo/ and my old faithful is at http://www.BishopCo.com

Classified Ads, Place Your’s for Free Here! Try out my free Classified Ads Site.

Don's Deals Free Classifieds http://epage.com/js/csp/c44364/b44364/r571658/?csp=44364