Fedora And Red Hat System Administration/Finding And Checking Files

Finding files with dangerous permissions

Files that are writable by "other"

If we search just based on permission, we'll get false hits from things like symbolic links.

[user@station user]$ find . -perm +002 -ls
  4095    0 lrwxrwxrwx   1 user     user           22 Jan  4 08:30 ./rh033 -> rh033-RHEL3-1-20031103
 10209    0 lrwxrwxrwx   1 user     user           18 Jan  4 09:28 ./.mozilla/default/bgdnw5up.slt/lock -> 192.168.0.254:3311
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Instead look for files with other write enabled that are regular files.

[user@station user]$ find . -perm +002 -type f -ls
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Directories that are writable by "other"

When searching for directories that are writeable by other, one should also consider whether the "sticky bit" is set for the directory. In octal, the sticky bit is represented as a 1 in the first position in four digit octal representation (ex: 1777). This is a common setting for temporary directories and is not normally considered a security risk.

World writable temporary directories:

[user@station user]$ find / -perm -1002 -type d -ls 2>/dev/null
   493    0 drwxrwxrwt   2 root     root           40 Jan  4 09:25 /dev/shm
     2    4 drwxrwxrwt  11 root     root         4096 Jan  5 11:42 /tmp
 58497    4 drwxrwxrwt   2 xfs      xfs          4096 Jan  4 09:26 /tmp/.font-unix
 29250    4 drwxrwxrwt   2 root     user         4096 Jan  4 09:27 /tmp/.X11-unix
 14625    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:27 /tmp/.ICE-unix
 29252    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:28 /tmp/.esd
665189    4 drwxrwxrwt   2 root     root         4096 Jan  3 07:51 /var/lib/texmf
 97345    4 drwxrwxrwt   2 root     root         4096 Jan  4 14:00 /var/tmp
178466    4 drwxrwxrwt   2 root     root         4096 Aug 11  2003 /var/spool/vbox
762533    4 drwxrwxrwt   2 root     root         4096 Sep 25  2003 /var/spool/samba

Finding the real problem directories:

[user@station user]$ find / -perm -002 -not -perm -1000 -type d -ls 2>/dev/null

 46931    1 drwxrwxrwx   2 user     user         1024 Jan  5 12:06 /home/kupferer/bad-permissions

SUID and SGID executables

SUID and SGID executables can present serious security concerns since they allow users to execute programs with permissions of another user. For this reason they should be closely monitored. SUID is represented as 4 in the first position and SGID, by a 2.

`md5sum`

The md5sum command produces a checksum for a file that can be used later to check whether the file's contents have changed.

[user@station user]$ echo "some content" >a_file
[user@station user]$ md5sum a_file
eb9c2bf0eb63f3a7bc0ea37ef18aeba5  a_file
[user@station user]$ echo "Some content" >a_file
[user@station user]$ md5sum a_file
581ab2d89f05c294d4fe69c623bdef83  a_file

This is often used when downloading files from possibly untrustworthy mirrors. So long as a trusted checksum can be obtained, it can be used to verify that the data wasn't corrupted whether accidentally or maliciously. Often checksum files are distributed with downloads or kept on secure media to check systems for possible data corruption or intrusion. To create an MD5 checksum file, simply redirect the md5sum output to a file. md5sum -c can then be used to run the check later.

[user@station playground]$ for I in $(seq 1 6)
> do echo "Content for file-$I" >file-$I
> done
[user@station user]$ ls
file-1  file-2  file-3  file-4  file-5  file-6
[user@station playground]$ md5sum * >files.md5
[user@station playground]$ cat files.md5
37bca4ca3e0aa391ce8676a694940e66  file-1
ab831d920679cd711a85dc72360dbddc  file-2
371e1a1c44fac93d8ff0aa87ce623f19  file-3
8472ca817e850d90b2d747254f4ec6d2  file-4
d1c4512228268473f5a7f9e22c20a14c  file-5
1c64532d6ba6dd4125be760a1e7f66d3  file-6
[user@station playground]$ echo "different stuff" >file-3
[user@station playground]$ md5sum -c files.md5
file-1: OK
file-2: OK
file-3: FAILED
file-4: OK
file-5: OK
file-6: OK
md5sum: WARNING: 1 of 6 computed checksums did NOT match

Finding and Checking SUID and SGID executables

[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5
[root@station root]# echo "blah" > /usr/local/bin/new-suid
[root@station root]# chmod 4755 /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
45a46
> 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
[root@station root]# mv suid.md5.new suid.md5
mv: overwrite `suid.md5'? y
[root@station root]# echo "more" >> /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
46c46
< 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
---
> 9faee5c03d3f99ba4b95be1fc78c847f  /usr/local/bin/new-suid