Linux Security Cookbook [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Linux Security Cookbook [Electronic resources] - نسخه متنی

Daniel J. Barrett, Robert G. Byrnes, Richard Silverman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید










Recipe 9.11 Finding Writable Files



9.11.1 Problem


You want to locate
world-writable
files and directories on your machine.


9.11.2 Solution


To find world-writable files:

$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print

To disable world write access to a
file:

$ chmod o-w file

To find and
interactively fix world-writable files:

$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -ok chmod -v o-w {} \;

To prevent newly created files from being
world-writable:

$ umask 002

Be aware of the important options and limitations of
find, so you don't inadvertently
overlook important files. [Recipe 9.8]


9.11.3 Discussion


Think your system is free of world-writable files? Check anyway: you
might be surprised. For example, files extracted from Windows Zip
archives are notorious for having insecure or screwed-up permissions.

Our recipe skips directories that have the
sticky bit set (e.g.,
/tmp). Such directories are often
world-writable, but this is safe because of restrictions on removing
and renaming files. [Recipe 7.2]

We also skip symbolic links, since their
permission bits are ignored (and are usually all set). Only the
permissions of the targets of symbolic links are relevant for access
control.

The chmod command can disable world-write access.
Combine it with find -ok and you can interactively
detect and repair world-writable files.

You can avoid creating world-writable files by setting a bit in your
umask. You also can set other bits for further
restrictions. [Recipe 7.1] Note that programs like
unzip are free to override the umask, however, so
you still need to check.


9.11.4 See Also


find(1), chmod(1). See your shell documentation for information on
umask: bash(1), tcsh(1), etc.

/ 247