Skip to main content
Topic: World Lockdown: Securing Directories (Read 385 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

World Lockdown: Securing Directories

My Chatgpt for today:

World-Writable Directories left in a default state could be leveraged by Local Attackers on Network who gain access to your system.

To discover which directories are world-writable I ran this command:

Code: [Select]
~$ sudo find / -type d -perm -0002 -exec ls -ld {} \;

The above command produced this list:
Code: [Select]
drwxrwxrwt 7 root root 220 Apr 28 16:24 /tmp
drwxrwxrwt 2 root root 60 Apr 28 16:20 /tmp/.X11-unix
drwxrwxrwt 2 root root 60 Apr 28 16:21 /tmp/.ICE-unix
drwxrwxrwt 2 root root 40 Apr 28 16:20 /tmp/.font-unix
drwxrwxrwt 2 root root 40 Apr 28 16:20 /tmp/.XIM-unix
find: ‘/run/user/1000/gvfs’: Permission denied
drwxrwxrwx 2 root root 40 Apr 28 16:20 /run/lock/fluidsynth
drwxrwxrwt 2 root root 40 Apr 28 16:20 /run/lock/dmraid
drwxrwxrwt 2 root root 4096 Apr 23 21:46 /var/tmp
drwxrwxrwt 2 root root 4096 Oct  6  2022 /var/lib/ex
drwxrwxrwt 2 root root 4096 Nov 21 22:50 /var/spool/mail
drwxrwxrwt 2 root root 40 Apr 28 16:20 /dev/shm
drwxrwxrwt 2 root root 40 Apr 28 16:20 /dev/mqueue
find: ‘/sys/kernel/dmabuf/buffers/1128061’: No such file or directory
find: ‘/sys/kernel/dmabuf/buffers/1127990’: No such file or directory
find: ‘/sys/kernel/dmabuf/buffers/1128062’: No such file or directory
find: ‘/sys/kernel/dmabuf/buffers/1127991’: No such file or directory
find: ‘/sys/kernel/dmabuf/buffers/1128060’: No such file or directory

Could these directories benefit from improving with chmod?
Are there alternative commands that will identify world-writable directories?
Maybe executing a chmod is unnecessary. How do I check the current chmod status?

Directories which could benefit from a chmod:
Code: [Select]
~$  sudo chmod 1777 /tmp

Additionally, in /etc/fstab add:
Code: [Select]
tmpfs           /tmp         tmpfs     defaults,mode=1777,noexec,nosuid,nodev   0  0

Code: [Select]
~$  sudo chmod 1777 /var/tmp

Code: [Select]
~$  sudo chmod 755 /run

Code: [Select]
~$  sudo chmod 1777 /dev/shm

The sticky bit (1777) allows users to create files but prevents them from deleting files created by other users.
'chmod 755' ensures that the owner (usually root) can read/write/execute, while others can only read and execute.

Additional suggestions or advice that will help clarfiy correctly applying these steps is appreciated.