10-22-2010
Need to remove Group write permission .
How would i write a command that can find all the objects under the etc directory that have group write permission enabled and have not been accessed in the last X days.
This is what i got from internet souce but i m not able to modify it according to my distribution.
find /etc -perm -0070 -a -mtime +X ! -type l ?print
Here is the exact statement from link i m referring to.
Quote:
#
2.6 Group Write Permissions
By default many of the files and directories in the LINUX Operating System come with the group-write permission bit enabled allowing the group members to write to the object yet this functionality is rarely required. The group write bit should removed from all operating system files or directories that do not explicitly require it to be enabled.
# Risks: Unintentional or Malicious alteration of critical OS files may leave the system vulnerable to exploitation impacting data confidentiality, integrity or availability.
# Compliance:
+ ISO 17799 Policy: 9.6.1
+ DISA STIG Section: 3.5
# Requirements:
A search of an atypical LINUX box using the find command can identify all files with world write permissions where the atime or mtime have not been updated since the operating system was installed. These files can have their group write permissions safely removed.
For example the following command can find all the objects under the root directory that have group write permission enabled and have not been accessed in the last X days:
find /etc -perm -0070 -a -mtime +X ! -type l ?print
Assuming X is the number of days since the OS was installed then the objects this command identifies can safely have the group write bit disabled.
Note the " ! -type l " is needed to eliminate sym links for since they always have perms 777 this will eliminate false positives.
I m getting following error.
Quote:
# find /etc -perm -0070 -a -mtime 4 ! -type l ?print
find: paths must precede expression
Usage: find [-H] [-L] [-P] [path...] [expression]
---------- Post updated at 04:44 AM ---------- Previous update was at 04:40 AM ----------
I can able to get output if i remove ! -type .
Can any one please help me find what does ! -type do?
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
While logged on as root, I created a user 'usera'
I also created a group called 'groupa'
I need to modify the permission of the user i created to not have root privileges.
I also need to change groupa to be in 'others'
please help!
thanks,
nieves (3 Replies)
Discussion started by: mncapara
3 Replies
2. AIX
Please forgive me, but I am not a Unix expert. I'm supporting SAP r/3 and we are trying to run an external command from SAP to read a file at the unix level. When we perform the more command on the following two files, we are succesful in reading the bws file, but unsucessful in reading the bws1... (13 Replies)
Discussion started by: bbauerle
13 Replies
3. UNIX for Dummies Questions & Answers
I have an executable that had permissions set to 700. I changed this to 770 and added a user to the group in an attempt to allow that userds to run the file. Obviously this didnt work or I wouldnt be here.
Do I need to cause the group file to be re-read and if so how, or am I misunderstanding... (6 Replies)
Discussion started by: thumper
6 Replies
4. Shell Programming and Scripting
hello
I search a script (ksh for Aix 5.3) to save all permissions, groups and owner for all files. Because we work much to change it, and a mystake ......!
So i want execute this script to save/ execute permissions for all files.
If you have this script, thank you for your help ;)
best... (2 Replies)
Discussion started by: pascalbout
2 Replies
5. Shell Programming and Scripting
I need to find all the files that have group Read or Write permission or files that have user write permission.
This is what I have so far:
find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}'
It shows me all files where group read = true, group write = true... (5 Replies)
Discussion started by: shunter63
5 Replies
6. UNIX for Dummies Questions & Answers
I know this may sound little incomplete but this is what i read on some linux hardening guide.I dont have any clue on how to remove group's write bit.
I m posting the exact sentence of the hardening guide.
What all system files to be taken care of?
---------- Post updated 10-04-10 at... (3 Replies)
Discussion started by: pinga123
3 Replies
7. Solaris
All:
I'm having a problem with sudo on Solaris 5.10 that is giving me fits (and BTW, I'm a Linux admin by trade...).
The issue is that I have a number of users (myself included) that cannot sudo to root to complete user admin tasks. Assuming the user is jdoe, and the group with the elevated... (3 Replies)
Discussion started by: rjlohman
3 Replies
8. Solaris
why is the group id in capital S and not lowercase s ?
I have a directory with the following permissions:
drwxrws--x
when I remove the group id and add it again with g+s or chmod 2765 , it
displays the group ID in capital "S" instead of lowercase "s"
tried to find this out on Google, but... (2 Replies)
Discussion started by: misterx12345
2 Replies
9. UNIX for Dummies Questions & Answers
I want to create a GROUP with rwx permission. Also, I want to create a GROUP with root privileges, so that next time i create a user, I just need to add it to any of the groups and privileges automatically applied.
please help.
Thanks,
Shouvanik (4 Replies)
Discussion started by: shouvanik
4 Replies
10. AIX
Has anyone ever encountered this? It's one of those it was working Monday but not today issues.
We have an account pcadmin in the group utl, its supposed to read the files in utl. No issues on Monday, but today pcadmin can't read anything owned by utl. Below you can see it still has the group... (8 Replies)
Discussion started by: J-Man
8 Replies
STAT(2) System Calls Manual STAT(2)
NAME
stat, fstat, wstat, fwstat, dirstat, dirfstat, dirwstat, dirfwstat - get and put file status
SYNOPSIS
#include <u.h>
#include <libc.h>
int stat(char *name, char *edir)
int fstat(int fd, char *edir)
int wstat(char *name, char *edir)
int fwstat(int fd, char *edir)
int dirstat(char *name, Dir *dir)
int dirfstat(int fd, Dir *dir)
int dirwstat(char *name, Dir *dir)
int dirfwstat(int fd, Dir *dir)
DESCRIPTION
Given a file's name, or an open file descriptor fd, these routines retrieve or modify file status information. Stat, fstat, wstat, and
fwstat are the system calls; they deal with machine-independent directory entries. Their format is defined by stat(5). Stat and fstat
retrieve information about name or fd into edir, a buffer of length DIRLEN, defined in <libc.h>. Wstat and fwstat write information back,
thus changing file attributes according to edir.
Dirstat, dirfstat, dirwstat, and dirfwstat are the same as their counterparts, except that they operate on Dir structures:
typedef
struct Dir {
char name[NAMELEN]; /* last element of path */
char uid[NAMELEN]; /* owner name */
char gid[NAMELEN]; /* group name */
Qid qid; /* unique id from server */
long mode; /* permissions */
long atime; /* last read time */
long mtime; /* last write time */
Length; /* file length: see <u.h> */
ushort type; /* server type */
ushort dev; /* server subtype */
} Dir;
This structure, the Qid structure, NAMELEN, and DIRLEN are defined in <libc.h>. The Length structure is defined in </$objtype/u.h>.
Length is an unnamed structure (see 2c(1)), which means that its fields are directly accessible; if the length is known to fit in a long,
then use length as a field name to retrieve it. If the file resides on permanent storage and is not a directory, the length returned by
stat is the number of bytes in the file. For directories, the length returned is zero. For files that are streams (e.g., pipes and net-
work connections), the length is the number of bytes that can be read without blocking.
Each file is the responsibility of some server: it could be a file server, a kernel device, or a user process. Type identifies the server
type, and dev says which of a group of servers of the same type is the one responsible for this file. Qid is a structure containing path
and vers fields, each an unsigned long: path is guaranteed to be unique among all path names currently on the file server, and vers changes
each time the file is modified. Thus, if two files have the same type, dev, and qid they are the same file.
The bits in mode are defined by
0x80000000 directory
0x40000000 append only
0x20000000 exclusive use (locked)
0400 read permission by owner
0200 write permission by owner
0100 execute permission (search on directory) by owner
0070 read, write, execute (search) by group
0007 read, write, execute (search) by others
There are constants defined in <libc.h> for these bits: CHDIR, CHAPPEND, and CHEXCL for the first three; and CHREAD, CHWRITE, and CHEXEC
for the read, write, and execute bits for others.
The two time fields are measured in seconds since the epoch (Jan 1 00:00 1970 GMT). Mtime is the time of the last change of content. Sim-
ilarly, atime is set whenever the contents are accessed; also, it is set whenever mtime is set.
Uid and gid are the names of the owner and group of the file. Groups are also users, but each server is free to associate a list of users
with any user name g, and that list is the set of users in the group g. When an initial attachment is made to a server, the user string in
the process group is communicated to the server. Thus, the server knows, for any given file access, whether the accessing process is the
owner of, or in the group of, the file. This selects which sets of three bits in mode is used to check permissions.
Only some of the fields may be changed with the wstat calls. The name can be changed by anyone with write permission in the parent direc-
tory. The mode and mtime can be changed by the owner or the group leader of the file's current group. The gid can be changed by the owner
if he or she is a member of the new group. The gid can be changed by the group leader of the file's current group if he or she is the
leader of the new group. (See intro(5) for permission information, and users(6) for user and group information).
SOURCE
/sys/src/libc/9syscall
for the non-dir routines
/sys/src/libc/9sys
for the routines prefixed dir
SEE ALSO
intro(2), fcall(2), dirread(2), stat(5)
DIAGNOSTICS
All these functions return 0 on success, -1 on error, and set errstr.
STAT(2)