Recipe 9.11 Finding Writable Files
9.11.1 Problem
You want to locate
world-writable
files and directories on your machine.
9.11.2 Solution
To find world-writable files:
$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print
To disable world write access to a
file:
$ chmod o-w file
To find and
interactively fix world-writable files:
$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -ok chmod -v o-w {} \;
To prevent newly created files from being
world-writable:
$ umask 002
Be aware of the important options and limitations of
find, so you don't inadvertently
overlook important files. [Recipe 9.8]
9.11.3 Discussion
Think your system is free of world-writable files? Check anyway: you
might be surprised. For example, files extracted from Windows Zip
archives are notorious for having insecure or screwed-up permissions.Our recipe skips directories that have the
sticky bit set (e.g.,
/tmp). Such directories are often
world-writable, but this is safe because of restrictions on removing
and renaming files. [Recipe 7.2]We also skip symbolic links, since their
permission bits are ignored (and are usually all set). Only the
permissions of the targets of symbolic links are relevant for access
control.The chmod command can disable world-write access.
Combine it with find -ok and you can interactively
detect and repair world-writable files.You can avoid creating world-writable files by setting a bit in your
umask. You also can set other bits for further
restrictions. [Recipe 7.1] Note that programs like
unzip are free to override the umask, however, so
you still need to check.
9.11.4 See Also
find(1), chmod(1). See your shell documentation for information on
umask: bash(1), tcsh(1), etc.