Fedora And Red Hat System Administration/Finding And Checking Files
Finding files with dangerous permissions
[edit | edit source]Files that are writable by "other"
[edit | edit source]If we search just based on permission, we'll get false hits from things like symbolic links.
[user@station user]$ find . -perm +002 -ls 4095 0 lrwxrwxrwx 1 user user 22 Jan 4 08:30 ./rh033 -> rh033-RHEL3-1-20031103 10209 0 lrwxrwxrwx 1 user user 18 Jan 4 09:28 ./.mozilla/default/bgdnw5up.slt/lock -> 192.168.0.254:3311 63259 1 -rw-rw-rw- 1 user user 6 Jan 5 11:58 ./playground/real-problem
Instead look for files with other write enabled that are regular files.
[user@station user]$ find . -perm +002 -type f -ls 63259 1 -rw-rw-rw- 1 user user 6 Jan 5 11:58 ./playground/real-problem
Directories that are writable by "other"
[edit | edit source]When searching for directories that are writeable by other, one should also consider whether the "sticky bit" is set for the directory. In octal, the sticky bit is represented as a 1 in the first position in four digit octal representation (ex: 1777). This is a common setting for temporary directories and is not normally considered a security risk.
World writable temporary directories:
[user@station user]$ find / -perm -1002 -type d -ls 2>/dev/null 493 0 drwxrwxrwt 2 root root 40 Jan 4 09:25 /dev/shm 2 4 drwxrwxrwt 11 root root 4096 Jan 5 11:42 /tmp 58497 4 drwxrwxrwt 2 xfs xfs 4096 Jan 4 09:26 /tmp/.font-unix 29250 4 drwxrwxrwt 2 root user 4096 Jan 4 09:27 /tmp/.X11-unix 14625 4 drwxrwxrwt 2 user user 4096 Jan 4 09:27 /tmp/.ICE-unix 29252 4 drwxrwxrwt 2 user user 4096 Jan 4 09:28 /tmp/.esd 665189 4 drwxrwxrwt 2 root root 4096 Jan 3 07:51 /var/lib/texmf 97345 4 drwxrwxrwt 2 root root 4096 Jan 4 14:00 /var/tmp 178466 4 drwxrwxrwt 2 root root 4096 Aug 11 2003 /var/spool/vbox 762533 4 drwxrwxrwt 2 root root 4096 Sep 25 2003 /var/spool/samba
Finding the real problem directories:
[user@station user]$ find / -perm -002 -not -perm -1000 -type d -ls 2>/dev/null
46931 1 drwxrwxrwx 2 user user 1024 Jan 5 12:06 /home/kupferer/bad-permissions
SUID and SGID executables
[edit | edit source]SUID and SGID executables can present serious security concerns since they allow users to execute programs with permissions of another user. For this reason they should be closely monitored. SUID is represented as 4 in the first position and SGID, by a 2.
md5sum
[edit | edit source]The md5sum
command produces a checksum for a file that can be used later to check whether the file's contents have changed.
[user@station user]$ echo "some content" >a_file [user@station user]$ md5sum a_file eb9c2bf0eb63f3a7bc0ea37ef18aeba5 a_file [user@station user]$ echo "Some content" >a_file [user@station user]$ md5sum a_file 581ab2d89f05c294d4fe69c623bdef83 a_file
This is often used when downloading files from possibly untrustworthy mirrors. So long as a trusted checksum can be obtained, it can be used to verify that the data wasn't corrupted whether accidentally or maliciously. Often checksum files are distributed with downloads or kept on secure media to check systems for possible data corruption or intrusion. To create an MD5 checksum file, simply redirect the md5sum
output to a file. md5sum -c
can then be used to run the check later.
[user@station playground]$ for I in $(seq 1 6) > do echo "Content for file-$I" >file-$I > done [user@station user]$ ls file-1 file-2 file-3 file-4 file-5 file-6 [user@station playground]$ md5sum * >files.md5 [user@station playground]$ cat files.md5 37bca4ca3e0aa391ce8676a694940e66 file-1 ab831d920679cd711a85dc72360dbddc file-2 371e1a1c44fac93d8ff0aa87ce623f19 file-3 8472ca817e850d90b2d747254f4ec6d2 file-4 d1c4512228268473f5a7f9e22c20a14c file-5 1c64532d6ba6dd4125be760a1e7f66d3 file-6 [user@station playground]$ echo "different stuff" >file-3 [user@station playground]$ md5sum -c files.md5 file-1: OK file-2: OK file-3: FAILED file-4: OK file-5: OK file-6: OK md5sum: WARNING: 1 of 6 computed checksums did NOT match
Finding and Checking SUID and SGID executables
[edit | edit source][root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5 [root@station root]# echo "blah" > /usr/local/bin/new-suid [root@station root]# chmod 4755 /usr/local/bin/new-suid [root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new [root@station root]# diff suid.md5 suid.md5.new 45a46 > 0d599f0ec05c3bda8c3b8a68c32a1b47 /usr/local/bin/new-suid [root@station root]# mv suid.md5.new suid.md5 mv: overwrite `suid.md5'? y [root@station root]# echo "more" >> /usr/local/bin/new-suid [root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new [root@station root]# diff suid.md5 suid.md5.new 46c46 < 0d599f0ec05c3bda8c3b8a68c32a1b47 /usr/local/bin/new-suid --- > 9faee5c03d3f99ba4b95be1fc78c847f /usr/local/bin/new-suid