[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/etc/security search for world/groupwritable files

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: /etc/security search for world/groupwritable files
From: Han Boetes <han_(_at_)_mijncomputer_(_dot_)_nl>
Date: Sat, 24 Dec 2005 17:14:07 +0100
Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org

Hi,

I recently found a worldwritable file, extracted by some tarball
and though it would be nice if cron would find files like that and
report about them.

So here is an extension to /etc/security that takes care of
them. I added it at the bottom of /etc/security

The Settings variables maybe should be sourced from another file,
but for my purposes this works fine.

I hope you find it useful.


#
# Check for world/groupwritable files.
#

FILESYSTEMS="ffs ufs"

# These dirs will be ignored recursively.
PRUNEPATHS="/proc /mnt /dev /tmp /usr/tmp /var/tmp"

# These files and dirs are allowed to be group-writable and will
# be ignored.
GROUPWRITABLE="
/usr/obj
/usr/src
/var/at/at.deny
/var/audit
/var/authpf
/var/crash
/var/cron/tabs/.sock
/var/games
/var/msgs/bounds
/var/named/slave
/var/run/utmp
/var/spool/clientmqueue
/var/spool/lpd
/var/spool/output
/var/spool/output/.seq
/var/spool/output/status
"

# These files and dirs are allowed to be world-writable and will
# be ignored.
WORLDWRITABLE="
/var/empty/dev/log
/var/qmail/queue/lock/trigger
"

unset includes or
if [ -n "$PRUNEPATHS" ]; then
    for path in $PRUNEPATHS; do
        includes="$includes $or -path $path -prune"
        or="-or"
    done
fi

unset or
if [ -n "$FILESYSTEMS" ]; then
    includes="$includes -or ("
    for fstype in $FILESYSTEMS; do
        includes="$includes $or -fstype $fstype"
        or="-or"
    done
    includes="$includes )"
fi

find / $includes \( -perm -0002 -or -perm -0020 \) ! -perm -1000 ! -type l > $TMP1 2>&1

# Now filter out the prunepath names since with this command they
# show up.
if [ -n "$PRUNEPATHS $WORLDWRITABLE $GROUPWRITABLE" ]; then
    filters="("
    set -- $PRUNEPATHS $WORLDWRITABLE $GROUPWRITABLE
    while [ $# -gt 1 ]; do
        filters="$filters$1|"
        shift
    done
    filters="$filters$1)"

    egrep -v "^$filters\$" $TMP1 > $TMP2
    cat $TMP2 > $TMP1
    # Add the groupwritable files that happen to be worldwritable.
    find $GROUPWRITABLE -prune -perm -0002 >> $TMP1
fi

if [ -s $TMP1 ]; then
    echo
    echo 'These files are world-writeable or group writable!!'
    echo '---------------------------------------------------'
    ls -ld $(< $TMP1 )
fi




# Han

Prev by Date: Re: Clearer wording for ssh.1 -o option=value
Next by Date: add n arg to thrwakeup
Previous by thread: Hi - You have a beautiful eCard- Card from lpo6fgf_2006 (lpo6fgf_2006@mail.operamail.com)
Next by thread: add n arg to thrwakeup
Index(es):
- Date
- Thread

Visit your host, monkey.org