[ Team LiB ] |
Recipe 9.11 Finding Writable Files9.11.1 ProblemYou want to locate world-writable files and directories on your machine. 9.11.2 SolutionTo find world-writable files: $ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print To disable world write access to a file: $ chmod o-w file To find and interactively fix world-writable files: $ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -ok chmod -v o-w {} \; To prevent newly created files from being world-writable: $ umask 002 Be aware of the important options and limitations of find, so you don't inadvertently overlook important files. [Recipe 9.8] 9.11.3 DiscussionThink your system is free of world-writable files? Check anyway: you might be surprised. For example, files extracted from Windows Zip archives are notorious for having insecure or screwed-up permissions. Our recipe skips directories that have the sticky bit set (e.g., /tmp). Such directories are often world-writable, but this is safe because of restrictions on removing and renaming files. [Recipe 7.2] We also skip symbolic links, since their permission bits are ignored (and are usually all set). Only the permissions of the targets of symbolic links are relevant for access control. The chmod command can disable world-write access. Combine it with find -ok and you can interactively detect and repair world-writable files. You can avoid creating world-writable files by setting a bit in your umask. You also can set other bits for further restrictions. [Recipe 7.1] Note that programs like unzip are free to override the umask, however, so you still need to check. 9.11.4 See Alsofind(1), chmod(1). See your shell documentation for information on umask: bash(1), tcsh(1), etc. |
[ Team LiB ] |