How to verify that all World-Writable Directories Have Proper Ownership
Locate any directories in local partitions which are world-writable and ensure that they are owned by root or another system account.
The following command will discover and print these (assuming only system accounts have a uid lower than 500). Run it once for each local partition PART:
# find PART -xdev -type d -perm -0002 -uid +500 -print
If this command produces any output, investigate why the current owner is not root or another system account.
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
Security - verify that All World-Writable Directories Have Sticky Bits Set
Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition:
# find PARTITION -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
If this command produces any output, fix each reported directory /dir using the command:
When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.
PSA, Sitebuilder, Billing product directories for Mirroring.
The PSA_10.0.0/, SITEBUILDER_5.0.0/, and BILLING_7.0.0/ are the product directories you should mirror. The directories contain the following files:
Product distribution packages, e.g., dist-deb-Debian-5.0-x86_64/.
dist-[type]-[os-name]-[version]-[architecture]/
Packages required to install the product.
update-[type]-[os-name]-[version]-[architecture]
Note:
If you mirror only Virtuozzo templates, we recommend to exclude the update-* directories from mirroring.
Additional third-party packages.
thirdparty-[type]-[os-name]-[version]-[architecture]
[product]-[parallels-panel-version]-[os-name]-[architecture].inf3 Parallels Installer configuration files. Here product is one of the following: plesk, sitebuilder, billing.
How to find World/Group writable files and directories.
Finding world-writable files and directories
#find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
#find / -type d \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
This will create a huge file with permission of all files having either write permission set to the group or everybody. Check the permissions and eliminate world writable files to everyone, by executing /bin/chmod on the files.
To remove the permission execute.
#/bin/chmod o-w [file-name]
Directories in /proc
Every /proc directory contains quite a few directories named with a number. A listing of them starts off like this
These directories are called process directories, as they refer to a process’s ID and contain information specific to that process. The owner and group of each process directory is set to the user running the process. When the process is terminated, its /proc process directory vanishes. However, while the process is running, a great deal of information specific to that process is contained in the process directory’s various files.
# ls -l /proc
total 0
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 1
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 10
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 1066
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 11
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 12
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 13
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 14
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 15
dr-xr-xr-x 7 root root 0 2010-07-02 21:37 16
Common groups of information concerning the kernel is grouped into directories and sub-directories within /proc.
Each of the process directories contains the following files:
cmdline — Contains the command line arguments that started the process.
cwd — A link to the current working directory for the process.
cpu — Provides specific information about the utilization of each of the system’s CPUs.
environ — Gives a list of the environment variables for the process.
exe — A link to the executable of this process.
fd — A directory containing all of the file descriptors for a particular process.
maps — Contains memory maps to the various executables and library files associated with this process.
mem — The memory held by the process.
root — A link to the root directory of the process.
stat — A status of the process.
statm — A status of the memory in use by the process.
status — Provides the status of the process in a form that is much more readable than stat or statm.
