Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Need to remove Group write permission .
Top Forums UNIX for Dummies Questions & Answers Need to remove Group write permission . Post 302465316 by pinga123 on Friday 22nd of October 2010 05:44:04 AM
Old 10-22-2010
Need to remove Group write permission .
How would i write a command that can find all the objects under the etc directory that have group write permission enabled and have not been accessed in the last X days.

This is what i got from internet souce but i m not able to modify it according to my distribution.



find /etc -perm -0070 -a -mtime +X ! -type l ?print

Here is the exact statement from link i m referring to.
Quote:
#
2.6 Group Write Permissions

By default many of the files and directories in the LINUX Operating System come with the group-write permission bit enabled allowing the group members to write to the object yet this functionality is rarely required. The group write bit should removed from all operating system files or directories that do not explicitly require it to be enabled.

# Risks: Unintentional or Malicious alteration of critical OS files may leave the system vulnerable to exploitation impacting data confidentiality, integrity or availability.

# Compliance:

+ ISO 17799 Policy: 9.6.1
+ DISA STIG Section: 3.5

# Requirements:

A search of an atypical LINUX box using the find command can identify all files with world write permissions where the atime or mtime have not been updated since the operating system was installed. These files can have their group write permissions safely removed.

For example the following command can find all the objects under the root directory that have group write permission enabled and have not been accessed in the last X days:

find /etc -perm -0070 -a -mtime +X ! -type l ?print

Assuming X is the number of days since the OS was installed then the objects this command identifies can safely have the group write bit disabled.

Note the " ! -type l " is needed to eliminate sym links for since they always have perms 777 this will eliminate false positives.
I m getting following error.

Quote:
# find /etc -perm -0070 -a -mtime 4 ! -type l ?print
find: paths must precede expression
Usage: find [-H] [-L] [-P] [path...] [expression]


---------- Post updated at 04:44 AM ---------- Previous update was at 04:40 AM ----------




I can able to get output if i remove ! -type .

Can any one please help me find what does ! -type do?
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

how to define permission of unix group

While logged on as root, I created a user 'usera' I also created a group called 'groupa' I need to modify the permission of the user i created to not have root privileges. I also need to change groupa to be in 'others' please help! thanks, nieves (3 Replies)
Discussion started by: mncapara
3 Replies

2. AIX

Group permission not working

Please forgive me, but I am not a Unix expert. I'm supporting SAP r/3 and we are trying to run an external command from SAP to read a file at the unix level. When we perform the more command on the following two files, we are succesful in reading the bws file, but unsucessful in reading the bws1... (13 Replies)
Discussion started by: bbauerle
13 Replies

3. UNIX for Dummies Questions & Answers

group permission

I have an executable that had permissions set to 700. I changed this to 770 and added a user to the group in an attempt to allow that userds to run the file. Obviously this didnt work or I wouldnt be here. Do I need to cause the group file to be re-read and if so how, or am I misunderstanding... (6 Replies)
Discussion started by: thumper
6 Replies

4. Shell Programming and Scripting

permission, owner and group

hello I search a script (ksh for Aix 5.3) to save all permissions, groups and owner for all files. Because we work much to change it, and a mystake ......! So i want execute this script to save/ execute permissions for all files. If you have this script, thank you for your help ;) best... (2 Replies)
Discussion started by: pascalbout
2 Replies

5. Shell Programming and Scripting

Find all files with group read OR group write OR user write permission

I need to find all the files that have group Read or Write permission or files that have user write permission. This is what I have so far: find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}' It shows me all files where group read = true, group write = true... (5 Replies)
Discussion started by: shunter63
5 Replies

6. UNIX for Dummies Questions & Answers

How to remove group write bit?

I know this may sound little incomplete but this is what i read on some linux hardening guide.I dont have any clue on how to remove group's write bit. I m posting the exact sentence of the hardening guide. What all system files to be taken care of? ---------- Post updated 10-04-10 at... (3 Replies)
Discussion started by: pinga123
3 Replies

7. Solaris

Can't sudo Using Group Permission

All: I'm having a problem with sudo on Solaris 5.10 that is giving me fits (and BTW, I'm a Linux admin by trade...). The issue is that I have a number of users (myself included) that cannot sudo to root to complete user admin tasks. Assuming the user is jdoe, and the group with the elevated... (3 Replies)
Discussion started by: rjlohman
3 Replies

8. Solaris

Solaris group ID permission drwxrwS--x

why is the group id in capital S and not lowercase s ? I have a directory with the following permissions: drwxrws--x when I remove the group id and add it again with g+s or chmod 2765 , it displays the group ID in capital "S" instead of lowercase "s" tried to find this out on Google, but... (2 Replies)
Discussion started by: misterx12345
2 Replies

9. UNIX for Dummies Questions & Answers

How to create a Group with rwx permission?

I want to create a GROUP with rwx permission. Also, I want to create a GROUP with root privileges, so that next time i create a user, I just need to add it to any of the groups and privileges automatically applied. please help. Thanks, Shouvanik (4 Replies)
Discussion started by: shouvanik
4 Replies

10. AIX

AIX not following permission rules on group

Has anyone ever encountered this? It's one of those it was working Monday but not today issues. We have an account pcadmin in the group utl, its supposed to read the files in utl. No issues on Monday, but today pcadmin can't read anything owned by utl. Below you can see it still has the group... (8 Replies)
Discussion started by: J-Man
8 Replies

LEARN ABOUT SUNOS

find

find(1) 																   find(1)

NAME

       find - find files

SYNOPSIS

       /usr/bin/find [-H | -L]	path... expression

       /usr/xpg4/bin/find [-H | -L]  path... expression

       The  find  utility  recursively descends the directory hierarchy for each path seeking files that match a Boolean expression written in the
       primaries given below.

       find is able to descend to arbitrary depths in a file hierarchy and does not fail due to path length limitations  (unless  a  path  operand
       specified by the application exceeds PATH_MAX requirements).

       The following options are supported:

       -H	Causes the file information and file type evaluated for each symbolic link encountered on the command line to be those of the file
		referenced by the link, and not the link itself. If the referenced file does not exist, the file information and type is  for  the
		link itself. File information for all symbolic links not on the command line is that of the link itself.

       -L	Causes the file information and file type evaluated for each symbolic link to be those of the file referenced by the link, and not
		the link itself. See NOTES.

       Specifying more than one of the mutually-exclusive options -H and -L is not considered an error. The last option specified  determines  the
       behavior of the utility.

       The following operands are supported:

       path	       A path name of a starting point in the directory hierarchy.

       expression      The  first  argument  that starts with a -, or is a ! or a (, and all subsequent arguments are interpreted as an expression
		       made up of the following primaries and operators. In the descriptions, wherever n is used as  a	primary  argument,  it	is
		       interpreted as a decimal integer optionally preceded by a plus (+) or minus (-) sign, as follows:

		       +n	more than n

		       n	exactly n

		       -n	less than n

   Expressions
       Valid expressions are:

       -acl	       True if the file have additional ACLs defined.

       -atime n        True if the file was accessed n days ago. The access time of directories in path is changed by find itself.

       -cpio device    Always true. Writes the current file on device in cpio format (5120-byte records).

       -ctime n        True if the file's status was changed n days ago.

       -depth	       Always  true.  Causes  descent of the directory hierarchy to be done so that all entries in a directory are acted on before
		       the directory itself.  This can be useful when find is used with cpio(1) to transfer files that are contained  in  directo-
		       ries without write permission.

       -exec command   True if the executed command returns a zero value as exit status. The end of command must be punctuated by an escaped semi-
		       colon (;).  A command argument {} is replaced by the current path name. If the last argument to -exec is {} and you specify
		       + rather than the semicolon (;), the command is invoked fewer times, with {} replaced by groups of pathnames.

       -follow	       Always  true. Causes symbolic links to be followed. When following symbolic links, find keeps track of the directories vis-
		       ited so that it can detect infinite loops. For example, such a loop would occur if a symbolic link pointed to an  ancestor.
		       This expression should not be used with the -type l expression. See NOTES.

       -fstype type    True if the filesystem to which the file belongs is of type type.

       -group gname    True  if  the  file  belongs  to the group gname. If gname is numeric and does not appear in the /etc/group file, or in the
		       NIS/NIS+ tables, it is taken as a group ID.

       -inum n	       True if the file has inode number n.

       -links n        True if the file has n links.

       -local	       True if the file system type is not a remote file system type as defined in the /etc/dfs/fstypes file. nfs is used  as  the
		       default	remote	filesystem  type  if the /etc/dfs/fstypes file is not present. The -local option descends the hierarchy of
		       non-local directories. See  for an example of how to search for local files without descending.

       -ls	       Always true. Prints current path name together with its associated statistics. These include (respectively):

			 o  inode number

			 o  size in kilobytes (1024 bytes)

			 o  protection mode

			 o  number of hard links

			 o  user

			 o  group

			 o  size in bytes

			 o  modification time.

		       If the file is a special file, the size field instead contains the major and minor device numbers.

		       If the file is a symbolic link, the pathname of the linked-to file is printed preceded by `->'. The format is identical	to
		       that of ls -gilds (see ls(1B)).

		       Formatting is done internally, without executing the ls program.

       -mount	       Always  true.  Restricts  the  search  to the file system containing the directory specified. Does not list mount points to
		       other file systems.

       -mtime n        True if the file's data was modified n days ago.

       -name pattern   True if pattern matches the current file name. Normal shell file name generation characters (see  sh(1))  can  be  used.  A
		       backslash  ()  is  used  as  an  escape character within the pattern. The pattern should be escaped or quoted when find is
		       invoked from the shell.

		       Unless the character '.' is explicitly specified in the beginning     of pattern, a current file name  beginning  with  '.'
		       does not match pattern when using /usr/bin/find. /usr/xpg4/bin/find does not make this distinction; wildcard file name gen-
		       eration characters can match file names beginning with '.'.

       -ncpio device   Always true. Writes the current file on device in cpio -c format (5120 byte records).

       -newer file     True if the current file has been modified more recently than the argument file.

       -nogroup        True if the file belongs to a group not in the /etc/group file, or in the NIS/NIS+ tables.

       -nouser	       True if the file belongs to a user not in the /etc/passwd file, or in the NIS/NIS+ tables.

       -ok command     Like -exec, except that the generated command line is printed with a question mark first, and is executed only if the  user
		       responds by typing y.

       -perm [-]mode   The  mode  argument  is	used  to  represent  file  mode bits. It is identical in format to the symbolic mode operand, sym-
		       bolic_mode_list, described in chmod(1), and is interpreted as follows. To start, a template is assumed with all	file  mode
		       bits cleared. An op symbol of:

		       +	Set the appropriate mode bits in the template

		       -	Clear the appropriate bits

		       =	Set the appropriate mode bits, without regard to the contents of the file mode creation mask of the process

		       The  op	symbol	of - cannot be the first character of mode, to avoid ambiguity with the optional leading hyphen. Since the
		       initial mode is all bits off, there are no symbolic modes that need to use - as the first character.

		       If the hyphen is omitted, the primary evaluates as true when the file permission  bits  exactly	match  the  value  of  the
		       resulting template.

		       Otherwise,  if  mode  is prefixed by a hyphen, the primary evaluates as true if at least all the bits in the resulting tem-
		       plate are set in the file permission bits.

       -perm [-]onum   True if the file permission flags exactly match the octal number onum (see chmod(1)). If onum is prefixed by a  minus  sign
		       (-),  only  the bits that are set in onum are compared with the file permission flags, and the expression evaluates true if
		       they match.

       -print	       Always true. Causes the current path name to be printed.

       -prune	       Always yields true. Does not examine any directories or files in the directory structure below the  pattern  just  matched.
		       (See ). If -depth is specified, -prune has no effect.

       -size n[c]      True if the file is n blocks long (512 bytes per block). If n is followed by a c, the size is in bytes.

       -type c	       True  if  the  type  of the file is c, where c is b, c, d, D, f, l, p, or s for block special file, character special file,
		       directory, door, plain file, symbolic link, fifo (named pipe), or socket, respectively.

       -user uname     True if the file belongs to the user uname. If uname is numeric and does not appear as a  login	name  in  the  /etc/passwd
		       file, or in the NIS/NIS+ tables, it is taken as a user ID.

       -xdev	       Same as the -mount primary.

       -xattr	       True if the file has extended attributes.

   Complex Expressions
       The primaries can be combined using the following operators (in order of decreasing precedence):

       1)   ( expression )	       True if the parenthesized expression is true (parentheses are special to the shell and must be escaped).

       2)   ! expression	       The negation of a primary (! is the unary not operator).

       3) expression [-a] expression   Concatenation of primaries (the and operation is implied by the juxtaposition of two primaries).

       4)  expression -o expression    Alternation of primaries (-o is the or operator).

       When  you use find in conjunction with cpio, if you use the -L option with cpio then you must use the -follow expression with find and vice
       versa. Otherwise there are undesirable results.

       If no expression is present, -print is used as the expression. Otherwise, if the given expression does not contain  any	of  the  primaries
       -exec, -ok or -print, the given expression is effectively replaced by:

	      ( given_expression ) -print

       The -user, -group, and -newer primaries each evaluate their respective arguments only once. Invocation of command specified by -exec or -ok
       does not affect subsequent primaries on the same file.

       See largefile(5) for the description of the behavior of find when encountering files greater than or equal to 2 Gbyte ( 2**31 bytes).

       Example 1: Writing Out the Hierarchy Directory

       The following commands are equivalent:

       example% find .
       example% find . -print

       They both write out the entire directory hierarchy from the current directory.

       Example 2: Removing Files

       The following comand removes all files in your home directory named a.out or *.o that have not been accessed for a week:

       example% find $HOME ( -name a.out -o -name '*.o' ) 
	      -atime +7 -exec rm {} ;

       Example 3: Printing All File Names But Skipping SCCS Directories

       The following command recursively print all file names in the current directory and below, but skipping SCCS directories:

       example% find . -name SCCS -prune -o -print

       Example 4: Printing all file names and the SCCS directory name

       Recursively print all file names in the current directory and below, skipping the contents of SCCS directories, but printing out  the  SCCS
       directory name:

       example% find . -print -name SCCS -prune

       Example 5: Testing for the Newer File

       The following command is basically equivalent to the -nt extension to test(1):

       example$ if [ -n "$(find
       file1 -prune -newer file2)" ]; then

       printf %s\n "file1 is newer than file2"

       Example 6: Selecting a File Using 24-hour Mode

       The descriptions of -atime, -ctime, and -mtime use the terminology n ``24-hour periods''. For example, a file accessed at 23:59 is selected
       by:

       example% find . -atime -1 print

       at 00:01 the next day (less than 24 hours later, not more than one day ago). The midnight boundary  between  days  has  no  effect  on  the
       24-hour calculation.

       Example 7: Printing Files Matching a User's Permission Mode

       The  following command recursively print all file names whose permission mode exactly matches read, write, and execute access for user, and
       read and execute access for group and other:

       example% find . -perm u=rwx,g=rx,o=rx

       The above could alternatively be specified as follows:

       example% find . -perm a=rwx,g-w,o-w

       Example 8: Printing Files with Write Access for other

       The following command recursively print all file names whose permission includes, but is not limited to, write access for other:

       example% find . -perm -o+w

       Example 9: Printing Local Files without Descending Non-local Directories

       example% find . ! -local -prune -o -print

       Example 10: Printing the Files in the Name Space Possessing Extended Attributes

       example% find . -xattr

       See environ(5) for descriptions of the following environment variables that  affect  the  execution  of	find:  LANG,  LC_ALL,  LC_COLLATE,
       LC_CTYPE, LC_MESSAGES, and NLSPATH.

       PATH	       Determine the location of the utility_name for the -exec and -ok primaries.

       The following exit values are returned:

       0	All path operands were traversed successfully.

       >0	An error occurred.

       /etc/passwd	       Password file

       /etc/group	       Group file

       /etc/dfs/fstypes        File that registers distributed file system packages

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |CSI			     |Enabled			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Stable			   |
       +-----------------------------+-----------------------------+

       chmod(1), cpio(1), ls(1B), sh(1), test(1), acl(2), stat(2), umask(2), attributes(5), environ(5), fsattr(5), largefile(5), standards(5)

       The following options are obsolete and will not be supported in future releases:

       -cpio device    Always true. Writes the current file on device in cpio format (5120-byte records).

       -ncpio device   Always true. Writes the current file on device in cpio -c format (5120-byte records).

       When  using  find  to  determine files modified within a range of time, use the -mtime argument before the -print argument. Otherwise, find
       gives all files.

       Some files that might be under the Solaris root file system are actually mount points for virtual file systems, such as	mntfs  or  namefs.
       When comparing against a ufs file system, such files are not selected if -mount or -xdev is specified in the find expression.

       Using the -L or -follow option is not recommended when descending a file-system hierarchy that is under the control of other users. In par-
       ticular, when using -exec, symbolic links can lead the find command out of the hierarchy in which it started. Using -type is not sufficient
       to  restrict the type of files on which the -exec command operates, because there is an inherent race condition between the type-check per-
       formed by the find command and the time the executed command operates on the file argument.

								   15 July 2005 							   find(1)
All times are GMT -4. The time now is 08:54 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy