Script to find files less permissive than 750?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.
This is what i have made so far.
egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done
However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.
How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?
Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.
If i could also modify this so that files owned from root are excluded, that would be helpful
shell-script files permissions
asked Jul 29 at 6:35
TrevorKS
837
add a comment |Â
up vote
0
down vote
favorite
I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.
This is what i have made so far.
egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done
However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.
How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?
Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.
If i could also modify this so that files owned from root are excluded, that would be helpful
shell-script files permissions
asked Jul 29 at 6:35
TrevorKS
837
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.
This is what i have made so far.
egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done
However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.
How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?
Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.
If i could also modify this so that files owned from root are excluded, that would be helpful
shell-script files permissions
asked Jul 29 at 6:35
TrevorKS
837
I need to write a STIG rule that will check for all files within a user's home directory, and result in a 1 if any are found to be less permissive than 750.
This is what i have made so far.
egrep ":[0-9]4:" /etc/passwd | cut -d: -f6 |
while read line; do
if [ ! -e "$line" ];then
exit 1
else
if [ `stat -c "%a" "$line"` -gt 750 ];then
exit 1
fi
fi
done
However, this does not work when permissions are a number such as 557. I can't think of a way, at least with my skill level, to get this to work.
How would i check all files within a home directory, and have it return 1 if it finds a file that is less permissive than 750?
Example: 751,757, 551, 501, 001, 770, 570.. should all fail. My script does not capture all these.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes. If they have ethier r,w, or x in the "other", it needs to fail. Additionally, in the "group", it needs to only not have w. As long as it cant find any files where the "group" has write or the "other" has read, write, or execute, then it should pass. If it finds theses, it needs to fail.
If i could also modify this so that files owned from root are excluded, that would be helpful
shell-script files permissions
asked Jul 29 at 6:35
TrevorKS
837
edited Jul 29 at 16:01
asked Jul 29 at 6:35
TrevorKS
837
asked Jul 29 at 6:35
TrevorKS
837
asked Jul 29 at 6:35
TrevorKS
837
837
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38
add a comment |Â
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
if any are found to be less permissive than 750
If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).
However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.
This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.
Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).
So, perhaps something in this direction:
x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi
answered Jul 29 at 16:21
ilkkachu
47.3k668130
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
if any are found to be less permissive than 750
If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).
However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.
This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.
Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).
So, perhaps something in this direction:
x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi
answered Jul 29 at 16:21
ilkkachu
47.3k668130
add a comment |Â
up vote
1
down vote
accepted
if any are found to be less permissive than 750
If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).
However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.
This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.
Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).
So, perhaps something in this direction:
x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi
answered Jul 29 at 16:21
ilkkachu
47.3k668130
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
if any are found to be less permissive than 750
If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).
However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.
This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.
Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).
So, perhaps something in this direction:
x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi
answered Jul 29 at 16:21
ilkkachu
47.3k668130
if any are found to be less permissive than 750
If the permission bits are 0750, that corresponds to rwxr-x---. Anything that has e.g. bits set in the "other" group, is (basically by definition) more permissive. Similarly, something like 0700 is less permissive (it doesn't give any access to the group).
However, something like 0644 / rw-r--r-- would be both more and less permissive, as it would allow read access to "others", but wouldn't allow execute access to anyone.
To Clarify: I need to ensure NONE of the files in the home directory have ANY "other" attributes.
This, of course, is different than the above definition. But it's also easier to search for files that have some of a set of permissions bits set, so let's do this, instead of looking for files that have only a subset of some set of permissions bits.
Assuming you have GNU find, there's the condition -perm /mode, which means "Any of the permission bits mode are set for the file." (see man page). So find -type f -perm /027 would find any regular files that have any of the bits ----w-rwx set. The similar condition in e.g. FreeBSD find is -perm +027 (man page).
So, perhaps something in this direction:
x=$(find "$dir" -type f -perm /027 -print -quit)
if [ "$x" != "" ]; then
echo "some files were found"
fi
answered Jul 29 at 16:21
ilkkachu
47.3k668130
answered Jul 29 at 16:21
ilkkachu
47.3k668130
answered Jul 29 at 16:21
ilkkachu
47.3k668130
answered Jul 29 at 16:21
ilkkachu
47.3k668130
47.3k668130
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f459136%2fscript-to-find-files-less-permissive-than-750%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
You will have to be more specific about what you mean by "less permissive than 750", and also say in what way e.g. 001 and 751 is less permissive than 750.
– Kusalananda
Jul 29 at 7:15
Related - unix.stackexchange.com/questions/144268/….
– slm♦
Jul 29 at 12:38