Permissions safety check in linux?

StackOverflow https://stackoverflow.com/questions/15898194

  •  02-04-2022
  •  | 
  •  

Question

What is the quickest way to check the permissions of several folders and files in /home to see if any accounts have permissions set to an unsafe value?

What would be considered unsafe?

  • files that have access levels that could potentially be written to from the public
  • read access to .htaccess, .svn, etc files
  • any files that may otherwise compromise the safety of the web server

EDIT

I think this is a two-part question. I've mentioned what I think is unsafe above, but perhaps it should also be asked: what else could make a site unsafe on a permissions level? What are the risk and how do you check for them?

Was it helpful?

Solution

Obvious answer:

find -L /home -perm 0777

Prints out all the files/directories with the mode 0777, typically a mode you don't want set.

More specific:

find -L /home -perm /o+w

All files/directories that can be written to by anyone.

find -L /home -perm /o+r -name '.*' -type f

All files that start with a . that can be read by anyone

any files that may otherwise compromise the safety of the web server

There's not going to be any comprehensive way of quickly determining this.

OTHER TIPS

You can use find, for example, to find all files where other than the group and owner have read access:

find /home/ -perm /o+r

However, you still need to decide what unsafe permissions are. Is it unsafe to allow others to execute files in another users home dir? Is it unsafe to have file owned by another user in a users home dir, etc.

The file permissions under /home are not a security concern as long as you did your homework (pun intended). Let's assume a user has an executable file - as long as the system is administered correctly, the only thing this executable can do is to modify, read and write files in the same way a user would do. If you really want to prevent your users to have executables in their home directories: simply mount /home with the noexec option and you are good to go. Btw: if you want prevent accidental data loss, you might want to have a look at LVMs snapshot feature, too.

The problem of privilege escalation has nothing to do with wether files in the home directories are executable or not.

Regarding permissions of critical files, I strongly suggest deploying an intrusion detection system such as tripwire. It is very well thought out, not exactly easy to use, but not too hard on the other hand.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top