LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-05-2007, 08:53 AM   #1
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Rep: Reputation: 0
World Writable Files


I've been using Linux for the last couple of years - I've settled on Mepis and PCLinuxOS as best for my uses. I used Mepis for over a year before this and before that I was running Suse and Red Hat on and off over a few years, but got sucked back into Windows for work.

Sometimes Linux security can be confusing for the non-supergeek users. I check the syslog and security log every couple of weeks, in the hope that one day I'll be able to read them like I can a Windows malware log or event log.

I'm running PCLinuxOS at the moment and have been since it was released. I made a new user for a 4 year old that loves to use my computer with no login and some reduced access like the printer (I can't afford that much ink) then I installed TuxPaint and Childsplay from the PCL repository. Tuxpaint is the favorite. But since I installed them I have a "World Writable Files found" warning.

Now the security log is showing:

*** Security Check, Mon Oct 1 04:02:21 CST 2007 ***
Security Warning: World Writable files found :
- /tmp/.ICE-unix
- /tmp/.X11-unix
- /tmp/.X11-unix/X0
- /tmp/.font-unix
- /tmp/.font-unix/fs-1
- /usr/lib/childsplay/Data/childsplay.score
- /usr/share/doc/apt-0.5.15lorg3.92/examples
- /var/lib/lock/sane
- /var/run/acpid.socket
- /var/run/avahi-daemon/socket
- /var/run/cups/cups.sock
- /var/run/dbus/system_bus_socket
- /var/run/xdmctl/dmctl-:0/socket
- /var/run/xdmctl/dmctl/socket
- /var/spool/samba

syslog is showing the same thing:
>>>> snip <<<<<
Oct 1 04:02:01 localhost logrotate: ALERT exited abnormally with [1]
Oct 1 04:02:21 localhost logger: Security Warning: World Writable files found :
Oct 1 04:02:21 localhost logger: - /tmp/.ICE-unix
Oct 1 04:02:21 localhost logger: - /tmp/.X11-unix
Oct 1 04:02:21 localhost logger: - /tmp/.X11-unix/X0
Oct 1 04:02:21 localhost logger: - /tmp/.font-unix
Oct 1 04:02:21 localhost logger: - /tmp/.font-unix/fs-1
Oct 1 04:02:21 localhost logger: - /usr/lib/childsplay/Data/childsplay.score
Oct 1 04:02:21 localhost logger: - /usr/share/doc/apt-0.5.15lorg3.92/examples
Oct 1 04:02:21 localhost logger: - /var/lib/lock/sane
Oct 1 04:02:21 localhost logger: - /var/run/acpid.socket
Oct 1 04:02:21 localhost logger: - /var/run/avahi-daemon/socket
Oct 1 04:02:21 localhost logger: - /var/run/cups/cups.sock
Oct 1 04:02:21 localhost logger: - /var/run/dbus/system_bus_socket
Oct 1 04:02:21 localhost logger: - /var/run/xdmctl/dmctl-:0/socket
Oct 1 04:02:21 localhost logger: - /var/run/xdmctl/dmctl/socket
Oct 1 04:02:21 localhost logger: - /var/spool/samba
>>>> snip <<<<<

Is this a security risk and what do I need to do about it. I have no unusual processes or connections. No performance issues. I check top and ksysguard and netstat every few days. I don't want to be paranoid, just know if this is a problem and what, if anything I need to do or any more info I need to post.
 
Old 10-05-2007, 10:16 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Most any GNU/Linux will require some files and/or directories to be world-writable. So the fact that your msec (I assume that is what reported this) has detected some should not be in and of itself a cause for concern at this point. What you should do is look at each reported file individually, and determine whether or not it is a file that should indeed have these world-writable permissions. It'll be an educational exercise, as it implies going through man pages and/or doing some googling. That said, you've got only 15 files there, so it should be a piece of cake.

Once you've made sure your perms are okay, msec will (hopefully) let you configure it in such a way that these files won't raise any more alarms for being world-writable. That way you will be much less likely to ignore future world-writable warnings, as they will then (in theory) be true security vulnerabilities (and possible evidence of a breach).

Last edited by win32sux; 10-05-2007 at 11:24 AM.
 
Old 10-06-2007, 10:20 AM   #3
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
Msec did not report this. I found it in the syslog and the security log when I was checking them. I check some of the logs once a week.

Shorewall is activated with the usual internet access allowed. I don't use torrents or do any uploads that aren't direct to my webpage.

Prior to installing the games for the kids these entries aren't in the logs. So I've assumed they belong to those installation.

I'm not sure exactly sure what a "world writable" file is or why two simple kids' games have complicated my little world here.

Does world writable mean the local networked machines have access or just users on this machine. Or are we talking they open to more than that like through Shorewall and the router?

There are 5 machines on the LAN - 1 OSX, 2 PCLinuxOS, 1 Vista, 1 XP. Family only. There is no file sharing between the machines. Only the printer is shared. I use a switch with a modem/router with NAT enabled. The LAN is hardwired, no wireless is used and all wireless is disabled on the router and on the 2 laptops that are part of the LAN.

I'm happy to track the information down, but it's not going to help me determine which are safe and which are unsafe to leave in that state because I'm not sure what state it is. It also won't assist me to find out what I need to do.

If it's within my LAN, it may not matter at all. That's why I asked.

I don't mind doing my homework. I posted here after doing the google and forum searches I usually do. I wouldn't be using linux if I minded doing that.

It's something I've not run into before and some help would be appreciated.
 
Old 10-06-2007, 10:43 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ilago View Post
Does world writable mean the local networked machines have access or just users on this machine. Or are we talking they open to more than that like through Shorewall and the router?
World-writable refers to file permissions on the local filesystem (nothing to do with your router). A file's permissions consists of three basic classes: permissions for the user who owns the file; permissions for members of the group that was assigned to the file; and permissions for all other users. Each class can have read (r), write (w), and execute (x) permissions. World-writable means that the file has write permissions for all three classes. For example, take a look at my /tmp directory contents:
Code:
win32sux@candystore:~$ ls -la /tmp
total 6
drwxrwxrwt 10 root  root   368 2007-10-06 10:16 .
drwxr-xr-x 22 root  root   656 2007-09-21 20:15 ..
drwxrwxrwt  2 win32sux win32sux   72 2007-10-06 10:16 .esd-1000
drwx------  3 win32sux win32sux   72 2007-10-06 10:16 gconfd-win32sux
drwxrwxrwt  2 root  root    72 2007-10-06 10:16 .ICE-unix
drwx------  2 win32sux win32sux   72 2007-10-06 10:16 keyring-ri0lr4
srwxr-xr-x  1 win32sux win32sux    0 2007-10-06 10:16 mapping-win32sux
drwx------  2 win32sux win32sux 1040 2007-10-06 10:25 orbit-win32sux
drwx------  2 win32sux win32sux   80 2007-10-06 10:16 ssh-XS3oue5374
drwx------  2 win32sux win32sux   48 2007-10-06 10:16 virtual-win32sux.JSLgo3
-r--r--r--  1 root  root    11 2007-10-06 10:16 .X0-lock
drwxrwxrwt  2 root  root    72 2007-10-06 10:16 .X11-unix
win32sux@candystore:~$
As you can see, I have three world-writable directories in there, which I have put in bold.

Even the /tmp directory itself has world-writable permissions:
Code:
win32sux@candystore:~$ ls -l / | grep tmp
drwxrwxrwt  10 root root   408 2007-10-06 10:26 tmp
win32sux@candystore:~$
These directories I have illustrated have these perms because X11 and ESD need them that way. Notice how they each have the sticky bit set, though. This makes sure only the owners of the files inside can delete or rename them.

Quote:
Originally Posted by ilago
Msec did not report this. I found it in the syslog and the security log when I was checking them. I check some of the logs once a week.
For this type of info to appear in your syslog, it needs to be sent there by a program. It is my understanding that Mandriva's msec logs to syslog when run by cron. Keep in mind that PCLinuxOS is based on Mandriva.

Last edited by win32sux; 10-06-2007 at 10:52 AM.
 
Old 10-06-2007, 11:21 PM   #5
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
Thank you win32sux. That's exactly what I needed to know

One of the things I like about Linux is that it is never boring. There's just a few things I run into where I can't easily find "comprehensible" answers that seem to apply to my situation. This was one of them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
world writable directory? turbo_acura Linux - Software 8 10-17-2009 07:02 AM
Security Warning: World Writable files found foxxer Linux - Security 7 06-04-2005 11:03 AM
amarok - TagLib claims files are not writable linmix Linux - Software 3 03-17-2005 09:14 AM
sendmail world writable directory jbrearley Linux - Software 0 07-01-2004 12:16 PM
world writeable files will not stay world writeable antken Mandriva 1 03-02-2004 05:04 PM


All times are GMT -5. The time now is 11:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration