How to verify that all World-Writable Directories Have Proper Ownership
Locate any directories in local partitions which are world-writable and ensure that they are owned by root or another system account.
The following command will discover and print these (assuming only system accounts have a uid lower than 500). Run it once for each local partition PART:
# find PART -xdev -type d -perm -0002 -uid +500 -print
If this command produces any output, investigate why the current owner is not root or another system account.
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
Checking Postfix file permission/ownership discrepancies
The first line (postfix check) causes Postfix to report file permission/ownership discrepancies.
# egrep ‘(reject|warning|error|fatal|panic):’ /var/log/maillog
The second line looks for problem reports from the mail software, and reports how effective the relay and junk mail access blocks are. This may produce a lot of output. You will want to apply some postprocessing to eliminate uninteresting information.
Checking File Permissions and Ownership for Security
A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permission.
The umask (UNIX shorthand for “user file-creation mode mask”) is a four-digit octal number that UNIX uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.
The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.
The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them:
0666 default file-creation mode
(0022) umask
0644 resultant mode
A umask value of 077 lets only the file’s owner read all newly created files:
A recent trend among computing centers has been to set up new accounts with a umask of 077, so a user’s files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.
