Script to find files less permissive than 750?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.



This is what i have made so far.



egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done


However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.



How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?



Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.



To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.



If i could also modify this so that files owned from root are excluded, that would be helpful







share|improve this question





















  • You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
    – Kusalananda
    Jul 29 at 7:15










  • Related - unix.stackexchange.com/questions/144268/….
    – slm♦
    Jul 29 at 12:38
















up vote
0
down vote

favorite












I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.



This is what i have made so far.



egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done


However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.



How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?



Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.



To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.



If i could also modify this so that files owned from root are excluded, that would be helpful







share|improve this question





















  • You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
    – Kusalananda
    Jul 29 at 7:15










  • Related - unix.stackexchange.com/questions/144268/….
    – slm♦
    Jul 29 at 12:38












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.



This is what i have made so far.



egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done


However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.



How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?



Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.



To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.



If i could also modify this so that files owned from root are excluded, that would be helpful







share|improve this question













I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.



This is what i have made so far.



egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done


However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.



How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?



Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.



To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.



If i could also modify this so that files owned from root are excluded, that would be helpful









share|improve this question












share|improve this question




share|improve this question








edited Jul 29 at 16:01
























asked Jul 29 at 6:35









TrevorKS

837




837











  • You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
    – Kusalananda
    Jul 29 at 7:15










  • Related - unix.stackexchange.com/questions/144268/….
    – slm♦
    Jul 29 at 12:38
















  • You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
    – Kusalananda
    Jul 29 at 7:15










  • Related - unix.stackexchange.com/questions/144268/….
    – slm♦
    Jul 29 at 12:38















You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15




You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15












Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38




Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted











if any are found to be less permissive than 750




If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).



However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.




To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.




This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.



Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).



So, perhaps something in this direction:



x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi





share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f459136%2fscript-to-find-files-less-permissive-than-750%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted











    if any are found to be less permissive than 750




    If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).



    However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.




    To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.




    This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.



    Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).



    So, perhaps something in this direction:



    x=$(find "$dir" -type f -perm /027 -print -quit)
    if [ "$x" != "" ]; then
    echo "some files were found"
    fi





    share|improve this answer

























      up vote
      1
      down vote



      accepted











      if any are found to be less permissive than 750




      If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).



      However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.




      To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.




      This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.



      Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).



      So, perhaps something in this direction:



      x=$(find "$dir" -type f -perm /027 -print -quit)
      if [ "$x" != "" ]; then
      echo "some files were found"
      fi





      share|improve this answer























        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted







        if any are found to be less permissive than 750




        If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).



        However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.




        To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.




        This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.



        Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).



        So, perhaps something in this direction:



        x=$(find "$dir" -type f -perm /027 -print -quit)
        if [ "$x" != "" ]; then
        echo "some files were found"
        fi





        share|improve this answer














        if any are found to be less permissive than 750




        If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).



        However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.




        To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.




        This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.



        Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).



        So, perhaps something in this direction:



        x=$(find "$dir" -type f -perm /027 -print -quit)
        if [ "$x" != "" ]; then
        echo "some files were found"
        fi






        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 29 at 16:21









        ilkkachu

        47.3k668130




        47.3k668130






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f459136%2fscript-to-find-files-less-permissive-than-750%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?