How to Identify and Fix Incorrect File Permissions in Public Directories on Unix Systems


3 views

When managing public directories on Unix systems, incorrect file permissions can lead to serious security vulnerabilities. Files that are too permissive might expose sensitive data, while overly restrictive permissions could break web applications or prevent legitimate access.

The find command is your best friend for locating files with specific permission sets. Here are some practical examples:


# Find world-writable files (dangerous!)
find /path/to/public -type f -perm -002 -exec ls -la {} \;

# Find files readable by others but shouldn't be
find /path/to/private -type f -perm -004 ! -perm -100 -print

# Find directories with execute but no read permission (odd case)
find /path -type d -perm -001 ! -perm -004 -ls

For typical web directories, these are the recommended permissions:

  • Directories: 755 (drwxr-xr-x)
  • HTML/CSS/JS files: 644 (-rw-r--r--)
  • Executable scripts: 755 (-rwxr-xr-x)
  • Configuration files: 600 (-rw-------)

Here's a bash script that checks permissions against recommended values:


#!/bin/bash

TARGET_DIR="/var/www/html"

# Expected permissions
declare -A good_perms=(
    [".php"]="755"
    [".html"]="644"
    [".js"]="644"
    [".css"]="644"
    [".conf"]="600"
)

find "$TARGET_DIR" -type f | while read -r file; do
    ext="${file##*.}"
    expected_perm="${good_perms[".$ext]:-644}"
    actual_perm=$(stat -c "%a" "$file")
    
    if [[ "$actual_perm" != "$expected_perm" ]]; then
        echo "WARNING: $file has $actual_perm (should be $expected_perm)"
    fi
done

After identifying problematic files, you can fix them with these commands:


# Set default permissions for directories
find /path/to/public -type d -exec chmod 755 {} \;

# Set default permissions for files
find /path/to/public -type f -exec chmod 644 {} \;

# Special case for CGI scripts
find /path/to/public -name "*.cgi" -exec chmod 755 {} \;

For more granular control, consider using Access Control Lists:


# Grant group write access without changing other permissions
setfacl -Rm g:developers:rwX /path/to/project

# Check current ACLs
getfacl /path/to/file

When managing public directories on Unix systems, improper file permissions can create security vulnerabilities or accessibility issues. The most common scenarios include:

  • World-writable files (766, 777 permissions)
  • Overly restrictive permissions preventing web server access
  • Incorrect ownership preventing proper directory traversal

The find command is our primary tool for permission auditing. Here are the most useful patterns:

# Find world-writable files
find /path/to/public_dir -type f -perm -o=w ! -perm -u=w -ls

# Find directories with incorrect permissions (not 755)
find /path/to/public_dir -type d ! -perm 755 -ls

# Find files that should be private but are readable by others
find /path/to/private -type f -perm /o+r -exec ls -ld {} \;

For typical web server directories, these are the recommended permissions:

Directories: 755 (drwxr-xr-x)
Static Files: 644 (-rw-r--r--)
Executable Scripts: 755 (-rwxr-xr-x)
Sensitive Configs: 600 (-rw-------)

Create a shell script to audit and optionally fix permissions:

#!/bin/bash
TARGET_DIR="/var/www/html"

# Audit function
audit_permissions() {
    echo "Checking directory permissions..."
    find "$TARGET_DIR" -type d ! -perm 755 -exec ls -ld {} \;

    echo "Checking file permissions..."
    find "$TARGET_DIR" -type f $-name "*.php" -o -name "*.cgi"$ ! -perm 755 -exec ls -l {} \;
    find "$TARGET_DIR" -type f ! $-name "*.php" -o -name "*.cgi"$ ! -perm 644 -exec ls -l {} \;
}

# Fix function (run with caution)
fix_permissions() {
    find "$TARGET_DIR" -type d -exec chmod 755 {} \;
    find "$TARGET_DIR" -type f $-name "*.php" -o -name "*.cgi"$ -exec chmod 755 {} \;
    find "$TARGET_DIR" -type f ! $-name "*.php" -o -name "*.cgi"$ -exec chmod 644 {} \;
    echo "Permissions standardized"
}

For more complex environments, consider these approaches:

# Find files owned by specific users
find /path -type f -user apache -o -user www-data

# Find files modified in last 24 hours with loose permissions
find /path -type f -mtime -1 -perm /o=rwx

# Compare against a known good permissions database
find /path -printf "%m %p\n" | diff - expected_permissions.txt

When fixing permissions:

  • Always back up permission settings before bulk changes
  • Consider using ACLs for complex permission requirements
  • Monitor permission changes with auditd or similar tools
  • Remember that changing permissions may break existing functionality