Recipe 9.11 Finding Writable Files

9.11.1 Problem

You want to locate world-writable files and directories on your machine.

9.11.2 Solution

To find world-writable files:

$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print

To disable world write access to a file:

$ chmod o-w file

To find and interactively fix world-writable files:

$ find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -ok chmod -v o-w {} \;

To prevent newly created files from being world-writable:

$ umask 002

Be aware of the important options and limitations of find, so you don't inadvertently overlook important files. [Recipe 9.8]

9.11.3 Discussion

Think your system is free of world-writable files? Check anyway: you might be surprised. For example, files extracted from Windows Zip archives are notorious for having insecure or screwed-up permissions.

Our recipe skips directories that have the sticky bit set (e.g., /tmp). Such directories are often world-writable, but this is safe because of restrictions on removing and renaming files. [Recipe 7.2]

We also skip symbolic links, since their permission bits are ignored (and are usually all set). Only the permissions of the targets of symbolic links are relevant for access control.

The chmod command can disable world-write access. Combine it with find -ok and you can interactively detect and repair world-writable files.

You can avoid creating world-writable files by setting a bit in your umask. You also can set other bits for further restrictions. [Recipe 7.1] Note that programs like unzip are free to override the umask, however, so you still need to check.

9.11.4 See Also

find(1), chmod(1). See your shell documentation for information on umask: bash(1), tcsh(1), etc.

    Chapter 9. Testing and Monitoring