2

For security auditing purposes I would like to go through my systems' users and make sure they don't have filesystem access to more than I'd prefer they did.

I'd like something that outputs in the ls -l format like but for just one user (and their groups):

r-x /var
r-x /var/spool
r-x /var/spool/cron
--T /var/spool/cron/atjobs

Once I have a vetted list of what a user should be able to see, I can generate this again for other user and see how they differ. Make sense?

I want to underline that this needs to evaluate the current user's natural, group and even ACL permissions. Essentially testing each stage. I'm not sure if I care about sticky bits and things like that over simple drwx but we'll see where this goes :)

Oli
  • 293,335

1 Answers1

2

The best I've been able to build so far is using bash's tests:

find . -exec bash -c 'd=-;r=-;w=-;x=-; [[ -d {} ]] && d=d; [[ -r {} ]] && r=r; [[ -w {} ]] && w=w; [[ -x {} ]] && x=x; echo "$d$r$w$x {}"' \;

A sample of that output:

drwx ./dlls/mscoree/tests
-r-- ./dlls/mscoree/tests/metahost.o
-rw- ./dlls/mscoree/tests/metahost.c
-r-x ./dlls/mscoree/tests/mscoree_test-stripped.exe.so
-r-- ./dlls/mscoree/tests/testlist.c
-rw- ./dlls/mscoree/tests/Makefile.in
-r-- ./dlls/mscoree/tests/debugging.o
Oli
  • 293,335