ckfsec - Check file and directory security
ckfsec [-aeh] [-i flag...] [-mnsvw] directory [directory
...]
"All" mode; has the same effect as a combination of -e,
-v, and -w. Explain mode; appends explanatory text to
lines of the report. Displays a usage message. Suppresses
reporting and checking as specified by one or more
of the following flags: Do not report in the summary
whether Access Control Lists (ACLs) are enabled on the
system. Do not check for GID mismatches between a link
and its target. Do not check for hardlinks (files with
link count greater than 1). Do not check for symbolic
links whose targets do not exist. Do not check for worldwritable
directories on which the sticky bit is not set.
Do not check for UID mismatches between a link and its
target.
When specifying multiple flags, do not separate
them by using spaces. Restricts processing to
files that are in the same file system as directory.
Ignores file systems mounted through NFS.
Suppresses the summary lines that are otherwise
included at the end of the report. The summary
lines report the total number of directories that
were processed, the number of world-writable directories
that were found, the total number of potential
problems that were found, and (unless the a
flag is specified with -i) whether ACLs are enabled
on the system. Verbose mode; includes in the
report all files and directories that were checked,
not just those that have a potential problem. Displays
in the report the pathnames of all worldwritable
directories, not just those found to be
vulnerable.
If -w is not specified, the total count of worldwritable
directories that were processed is
included in summary lines at the end of the report
(unless -s is specified to omit the summary). This
count always includes all world-writable directories
that were found, whether or not they had the
sticky bit set or contained vulnerable files.
The pathname of the top-level directory of the file tree
to be checked. A space-separated list of multiple pathnames
may be specified to check more than one tree.
The ckfsec tool searches a directory tree for worldwritable
directories and, in each of these, searches for
and reports on the following potential vulnerabilities: A
symbolic link whose target has an owner or group different
from the link A symbolic link whose target does not exist
A world-writable writable directory without the sticky bit
set, including the specified directory, if applicable A
pipe A file with a link count greater than 1 (a file with
"hard links")
Potential vulnerabilities are reported in the following
format:
code type [uid] [gid] mtime file[ -> target] [explanatory_text]
In this format: Indicates the problem. Each code value
begins with W (warning) or E (error) to indicate the
severity, followed by one to three of the following letters
to indicate why file is potentially vulnerable: The
GID of a symbolic link does not match the GID of its target.
This might mean that a nonprivileged user created a
symbolic link to point to a privileged file. The file has
a link count greater than 1. This might mean that a nonprivileged
user created a hardlink that specifies a privileged
file. The symbolic link specifies a target that
does not exist. This might allow a nonprivileged user to
trick a privileged process into creating a privileged
file. By itself, this condition is treated as a warning.
A pipe was found. The mode of the directory (if worldwritable)
is missing the sticky bit. The UID of a symbolic
link does not match the UID of its target. This
might mean that a nonprivileged user created a symbolic
link to point to a privileged file. The directory is
world-writable, which allows nonprivileged users to create
links that can trick privileged programs into writing or
overwriting privileged files. A world-writable directory
is reported as a warning, unless its sticky bit is not
set, in which case the directory is reported as an error.
Specifies what file represents. Type identifiers are as
follows: Directory Regular file (shown only if -v is specified)
Hardlink Symbolic link Pipe Identifies the owner
(UID) of file. Identifies the group (GID) of file. Specifies
the time that file was last modified. Specifies the
pathname of the file system object that is potentially
vulnerable. If file is a symbolic link, specifies its
target. Includes additional information about the potential
problem. This additional information is appended to
report lines only if -e is specified on the command line.
While traversing the specified directory tree, ckfsec does
not process any files found in secure subdirectories; however,
the tool does process all subdirectories.
The main body of the report that the tool produces lists
files that are potential vulnerabilities. If the -a or -v
option is specified, the body of the report lists all
directories and files that were processed.
Unless the -s option is specified, the report ends with
summary lines as follows:
Total directories: count
World-writable dirs: count
Total problems: count
ACLs_statement
Unless omitted by the a flag for the -i option,
ACLs_statement is one of the following: This system has
ACLs enabled. ACLs may introduce additional security
risks.
The ckfsec utility does not check ACLs. ACLs,
depending on what they contain, can either tighten
or relax the security provided by directory or file
permissions alone. This informational message is
displayed to remind you that ACLs have not been
checked and that you should make sure that no
world-writable directory has an ACL that makes the
system more vulnerable than it would be otherwise.
ACLs are not enabled on this system.
This message is what you would expect if ACLs are
not being used to manage system security.
Note
ACL reporting is not supported for releases prior to Tru64
UNIX Version 5.0A. If the ckfsec tool is installed and run
on Tru64 UNIX versions prior to Version 5.0A, ACLs_statement
is not included in the report.
The tool's report must be checked manually to determine
whether any of the files and directories identified as
vulnerable represent an actual breach of system security
or are likely to be used in that way.
The following example shows a report from a ckfsec command
that includes no options: # ckfsec / Ews d 0777 0
0 2002/02/11 /tmp/one [1] Eh h 0644 8941 0
2002/02/11 /tmp/backdoor [2] Eg l 0777 8941 0
2002/02/11 /tmp/one/two/a.txt -> /home/brians/.profile
[3] Eu l 0777 0 0 2002/02/11
/tmp/one/two/three/a.txt -> /tmp/one/two/a.txt [4] Eg l
0777 8941 0 2002/02/11 /tmp/one/two/a.txt ->
/home/brians/.profile [5] Eug l 0777 8941 33 2002/02/09
/tmp/README -> /etc/fstab [6] Wm l 0777 8941 0
2002/02/09 /tmp/core -> /etc/nologin [7] Total directories:
9 World-writable dirs: 5 Total problems:
7 ACLs are not enabled on this system.
In this example, the lines that start with error codes
show the following: Reports a world-writable directory
that does not have the sticky bit set. The sticky bit prevents
users (other than the directory owner, the file
owner, or the superuser) from deleting or renaming files
in that directory. Reports a file system object (in a
world-writable directory) with a link count greater than
1. The ls -i command might reveal, for example, that backdoor
is a hardlink to (has the same i-number as) the one
directory. Reports a GID mismatch. Reports a UID mismatch.
Trace links two levels deep; therefore, Line 5 is
indented accordingly. These lines show that vulnerabilities
are sometimes masked through multiple links between
different directories and files. Reports both a UID and
GID mismatch. In this case, the link might cause a privileged
file to be overwritten. Reports a symbolic link to
a file that does not currently exist. In this case, the
link target would be a problem if it were created in the
future.
Commands: dirclean(8)
Functions: mktemp(3), safe_open(3)
Others: sys_attrs_sec(5)
ckfsec(1)
[ Back ] |
