Fedora And Red Hat System Administration/Finding And Checking Files

Files that are writable by "other"
If we search just based on permission, we'll get false hits from things like symbolic links.

[user@station user]$ find. -perm +002 -ls 4095   0 lrwxrwxrwx   1 user     user           22 Jan  4 08:30 ./rh033 -&gt; rh033-RHEL3-1-20031103 10209   0 lrwxrwxrwx   1 user     user           18 Jan  4 09:28 ./.mozilla/default/bgdnw5up.slt/lock -&gt; 192.168.0.254:3311 63259   1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Instead look for files with other write enabled that are regular files.

[user@station user]$ find. -perm +002 -type f -ls 63259   1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Directories that are writable by "other"
When searching for directories that are writeable by other, one should also consider whether the "sticky bit" is set for the directory. In octal, the sticky bit is represented as a 1 in the first position in four digit octal representation (ex: 1777). This is a common setting for temporary directories and is not normally considered a security risk.

World writable temporary directories:

[user@station user]$ find / -perm -1002 -type d -ls 2&gt;/dev/null 493   0 drwxrwxrwt   2 root     root           40 Jan  4 09:25 /dev/shm 2   4 drwxrwxrwt  11 root     root         4096 Jan  5 11:42 /tmp 58497   4 drwxrwxrwt   2 xfs      xfs          4096 Jan  4 09:26 /tmp/.font-unix 29250   4 drwxrwxrwt   2 root     user         4096 Jan  4 09:27 /tmp/.X11-unix 14625   4 drwxrwxrwt   2 user     user         4096 Jan  4 09:27 /tmp/.ICE-unix 29252   4 drwxrwxrwt   2 user     user         4096 Jan  4 09:28 /tmp/.esd 665189   4 drwxrwxrwt   2 root     root         4096 Jan  3 07:51 /var/lib/texmf 97345   4 drwxrwxrwt   2 root     root         4096 Jan  4 14:00 /var/tmp 178466   4 drwxrwxrwt   2 root     root         4096 Aug 11  2003 /var/spool/vbox 762533   4 drwxrwxrwt   2 root     root         4096 Sep 25  2003 /var/spool/samba

Finding the real problem directories:

[user@station user]$ find / -perm -002 -not -perm -1000 -type d -ls 2&gt;/dev/null 46931   1 drwxrwxrwx   2 user     user         1024 Jan  5 12:06 /home/kupferer/bad-permissions

SUID and SGID executables
SUID and SGID executables can present serious security concerns since they allow users to execute programs with permissions of another user. For this reason they should be closely monitored. SUID is represented as 4 in the first position and SGID, by a 2.

The  command produces a checksum for a file that can be used later to check whether the file's contents have changed.

[user@station user]$ echo "some content" &gt;a_file [user@station user]$ md5sum a_file eb9c2bf0eb63f3a7bc0ea37ef18aeba5 a_file [user@station user]$ echo "Some content" &gt;a_file [user@station user]$ md5sum a_file 581ab2d89f05c294d4fe69c623bdef83 a_file

This is often used when downloading files from possibly untrustworthy mirrors. So long as a trusted checksum can be obtained, it can be used to verify that the data wasn't corrupted whether accidentally or maliciously. Often checksum files are distributed with downloads or kept on secure media to check systems for possible data corruption or intrusion. To create an MD5 checksum file, simply redirect the  output to a file. can then be used to run the check later.

[user@station playground]$ for I in $(seq 1 6) &gt; do echo "Content for file-$I" &gt;file-$I &gt; done [user@station user]$ ls file-1  file-2  file-3  file-4  file-5  file-6 [user@station playground]$ md5sum * &gt;files.md5 [user@station playground]$ cat files.md5 37bca4ca3e0aa391ce8676a694940e66 file-1 ab831d920679cd711a85dc72360dbddc file-2 371e1a1c44fac93d8ff0aa87ce623f19 file-3 8472ca817e850d90b2d747254f4ec6d2 file-4 d1c4512228268473f5a7f9e22c20a14c file-5 1c64532d6ba6dd4125be760a1e7f66d3 file-6 [user@station playground]$ echo "different stuff" &gt;file-3 [user@station playground]$ md5sum -c files.md5 file-1: OK file-2: OK file-3: FAILED file-4: OK file-5: OK file-6: OK md5sum: WARNING: 1 of 6 computed checksums did NOT match

Finding and Checking SUID and SGID executables
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; &gt;suid.md5 [root@station root]# echo "blah" &gt; /usr/local/bin/new-suid [root@station root]# chmod 4755 /usr/local/bin/new-suid [root@station root]# find / -type f -perm +6000 -exec md5sum {} \; &gt;suid.md5.new [root@station root]# diff suid.md5 suid.md5.new 45a46 &gt; 0d599f0ec05c3bda8c3b8a68c32a1b47 /usr/local/bin/new-suid [root@station root]# mv suid.md5.new suid.md5 mv: overwrite `suid.md5'? y [root@station root]# echo "more" &gt;&gt; /usr/local/bin/new-suid [root@station root]# find / -type f -perm +6000 -exec md5sum {} \; &gt;suid.md5.new [root@station root]# diff suid.md5 suid.md5.new 46c46 &lt; 0d599f0ec05c3bda8c3b8a68c32a1b47 /usr/local/bin/new-suid --- &gt; 9faee5c03d3f99ba4b95be1fc78c847f /usr/local/bin/new-suid