Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Need to remove Group write permission .
Top Forums UNIX for Dummies Questions & Answers Need to remove Group write permission . Post 302465316 by pinga123 on Friday 22nd of October 2010 05:44:04 AM
Old 10-22-2010
Need to remove Group write permission .
How would i write a command that can find all the objects under the etc directory that have group write permission enabled and have not been accessed in the last X days.

This is what i got from internet souce but i m not able to modify it according to my distribution.



find /etc -perm -0070 -a -mtime +X ! -type l ?print

Here is the exact statement from link i m referring to.
Quote:
#
2.6 Group Write Permissions

By default many of the files and directories in the LINUX Operating System come with the group-write permission bit enabled allowing the group members to write to the object yet this functionality is rarely required. The group write bit should removed from all operating system files or directories that do not explicitly require it to be enabled.

# Risks: Unintentional or Malicious alteration of critical OS files may leave the system vulnerable to exploitation impacting data confidentiality, integrity or availability.

# Compliance:

+ ISO 17799 Policy: 9.6.1
+ DISA STIG Section: 3.5

# Requirements:

A search of an atypical LINUX box using the find command can identify all files with world write permissions where the atime or mtime have not been updated since the operating system was installed. These files can have their group write permissions safely removed.

For example the following command can find all the objects under the root directory that have group write permission enabled and have not been accessed in the last X days:

find /etc -perm -0070 -a -mtime +X ! -type l ?print

Assuming X is the number of days since the OS was installed then the objects this command identifies can safely have the group write bit disabled.

Note the " ! -type l " is needed to eliminate sym links for since they always have perms 777 this will eliminate false positives.
I m getting following error.

Quote:
# find /etc -perm -0070 -a -mtime 4 ! -type l ?print
find: paths must precede expression
Usage: find [-H] [-L] [-P] [path...] [expression]


---------- Post updated at 04:44 AM ---------- Previous update was at 04:40 AM ----------




I can able to get output if i remove ! -type .

Can any one please help me find what does ! -type do?
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

how to define permission of unix group

While logged on as root, I created a user 'usera' I also created a group called 'groupa' I need to modify the permission of the user i created to not have root privileges. I also need to change groupa to be in 'others' please help! thanks, nieves (3 Replies)
Discussion started by: mncapara
3 Replies

2. AIX

Group permission not working

Please forgive me, but I am not a Unix expert. I'm supporting SAP r/3 and we are trying to run an external command from SAP to read a file at the unix level. When we perform the more command on the following two files, we are succesful in reading the bws file, but unsucessful in reading the bws1... (13 Replies)
Discussion started by: bbauerle
13 Replies

3. UNIX for Dummies Questions & Answers

group permission

I have an executable that had permissions set to 700. I changed this to 770 and added a user to the group in an attempt to allow that userds to run the file. Obviously this didnt work or I wouldnt be here. Do I need to cause the group file to be re-read and if so how, or am I misunderstanding... (6 Replies)
Discussion started by: thumper
6 Replies

4. Shell Programming and Scripting

permission, owner and group

hello I search a script (ksh for Aix 5.3) to save all permissions, groups and owner for all files. Because we work much to change it, and a mystake ......! So i want execute this script to save/ execute permissions for all files. If you have this script, thank you for your help ;) best... (2 Replies)
Discussion started by: pascalbout
2 Replies

5. Shell Programming and Scripting

Find all files with group read OR group write OR user write permission

I need to find all the files that have group Read or Write permission or files that have user write permission. This is what I have so far: find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}' It shows me all files where group read = true, group write = true... (5 Replies)
Discussion started by: shunter63
5 Replies

6. UNIX for Dummies Questions & Answers

How to remove group write bit?

I know this may sound little incomplete but this is what i read on some linux hardening guide.I dont have any clue on how to remove group's write bit. I m posting the exact sentence of the hardening guide. What all system files to be taken care of? ---------- Post updated 10-04-10 at... (3 Replies)
Discussion started by: pinga123
3 Replies

7. Solaris

Can't sudo Using Group Permission

All: I'm having a problem with sudo on Solaris 5.10 that is giving me fits (and BTW, I'm a Linux admin by trade...). The issue is that I have a number of users (myself included) that cannot sudo to root to complete user admin tasks. Assuming the user is jdoe, and the group with the elevated... (3 Replies)
Discussion started by: rjlohman
3 Replies

8. Solaris

Solaris group ID permission drwxrwS--x

why is the group id in capital S and not lowercase s ? I have a directory with the following permissions: drwxrws--x when I remove the group id and add it again with g+s or chmod 2765 , it displays the group ID in capital "S" instead of lowercase "s" tried to find this out on Google, but... (2 Replies)
Discussion started by: misterx12345
2 Replies

9. UNIX for Dummies Questions & Answers

How to create a Group with rwx permission?

I want to create a GROUP with rwx permission. Also, I want to create a GROUP with root privileges, so that next time i create a user, I just need to add it to any of the groups and privileges automatically applied. please help. Thanks, Shouvanik (4 Replies)
Discussion started by: shouvanik
4 Replies

10. AIX

AIX not following permission rules on group

Has anyone ever encountered this? It's one of those it was working Monday but not today issues. We have an account pcadmin in the group utl, its supposed to read the files in utl. No issues on Monday, but today pcadmin can't read anything owned by utl. Below you can see it still has the group... (8 Replies)
Discussion started by: J-Man
8 Replies

LEARN ABOUT PLAN9

stat

STAT(2) 							System Calls Manual							   STAT(2)

NAME

       stat, fstat, wstat, fwstat, dirstat, dirfstat, dirwstat, dirfwstat - get and put file status

SYNOPSIS

       #include <u.h>
       #include <libc.h>

       int stat(char *name, char *edir)

       int fstat(int fd, char *edir)

       int wstat(char *name, char *edir)

       int fwstat(int fd, char *edir)

       int dirstat(char *name, Dir *dir)

       int dirfstat(int fd, Dir *dir)

       int dirwstat(char *name, Dir *dir)

       int dirfwstat(int fd, Dir *dir)

DESCRIPTION

       Given  a  file's  name,	or an open file descriptor fd, these routines retrieve or modify file status information.  Stat, fstat, wstat, and
       fwstat are the system calls; they deal with machine-independent directory entries.  Their format is defined by  stat(5).   Stat	and  fstat
       retrieve  information about name or fd into edir, a buffer of length DIRLEN, defined in <libc.h>.  Wstat and fwstat write information back,
       thus changing file attributes according to edir.

       Dirstat, dirfstat, dirwstat, and dirfwstat are the same as their counterparts, except that they operate on Dir structures:

	      typedef
	      struct Dir {
		    char    name[NAMELEN];   /* last element of path */
		    char    uid[NAMELEN];    /* owner name */
		    char    gid[NAMELEN];    /* group name */
		    Qid     qid;	     /* unique id from server */
		    long    mode;	     /* permissions */
		    long    atime;	     /* last read time */
		    long    mtime;	     /* last write time */
		    Length;		     /* file length: see <u.h> */
		    ushort  type;	     /* server type */
		    ushort  dev;	     /* server subtype */
	      } Dir;

       This structure, the Qid structure, NAMELEN, and DIRLEN are defined in <libc.h>.	 The  Length  structure  is  defined  in  </$objtype/u.h>.
       Length  is  an unnamed structure (see 2c(1)), which means that its fields are directly accessible; if the length is known to fit in a long,
       then use length as a field name to retrieve it.	If the file resides on permanent storage and is not a directory, the  length  returned	by
       stat  is  the number of bytes in the file.  For directories, the length returned is zero.  For files that are streams (e.g., pipes and net-
       work connections), the length is the number of bytes that can be read without blocking.

       Each file is the responsibility of some server: it could be a file server, a kernel device, or a user process.  Type identifies the  server
       type,  and  dev says which of a group of servers of the same type is the one responsible for this file.	Qid is a structure containing path
       and vers fields, each an unsigned long: path is guaranteed to be unique among all path names currently on the file server, and vers changes
       each time the file is modified.	Thus, if two files have the same type, dev, and qid they are the same file.

       The bits in mode are defined by

	     0x80000000   directory
	     0x40000000   append only
	     0x20000000   exclusive use (locked)

		   0400   read permission by owner
		   0200   write permission by owner
		   0100   execute permission (search on directory) by owner
		   0070   read, write, execute (search) by group
		   0007   read, write, execute (search) by others

       There  are  constants  defined in <libc.h> for these bits: CHDIR, CHAPPEND, and CHEXCL for the first three; and CHREAD, CHWRITE, and CHEXEC
       for the read, write, and execute bits for others.

       The two time fields are measured in seconds since the epoch (Jan 1 00:00 1970 GMT).  Mtime is the time of the last change of content.  Sim-
       ilarly, atime is set whenever the contents are accessed; also, it is set whenever mtime is set.

       Uid  and gid are the names of the owner and group of the file.  Groups are also users, but each server is free to associate a list of users
       with any user name g, and that list is the set of users in the group g.	When an initial attachment is made to a server, the user string in
       the  process  group is communicated to the server.  Thus, the server knows, for any given file access, whether the accessing process is the
       owner of, or in the group of, the file.	This selects which sets of three bits in mode is used to check permissions.

       Only some of the fields may be changed with the wstat calls.  The name can be changed by anyone with write permission in the parent  direc-
       tory.  The mode and mtime can be changed by the owner or the group leader of the file's current group.  The gid can be changed by the owner
       if he or she is a member of the new group.  The gid can be changed by the group leader of the file's current group if  he  or  she  is  the
       leader of the new group.  (See intro(5) for permission information, and users(6) for user and group information).

SOURCE

       /sys/src/libc/9syscall
	      for the non-dir routines

       /sys/src/libc/9sys
	      for the routines prefixed dir

SEE ALSO

       intro(2), fcall(2), dirread(2), stat(5)

DIAGNOSTICS

       All these functions return 0 on success, -1 on error, and set errstr.

																	   STAT(2)
All times are GMT -4. The time now is 07:46 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy