Checking no world-writable


#1

Picking up on this from another thread,

and bobocat’s reply,

Well I’m slightly dubious about this idea of encouraging ordinary Dreamhost customers to become fluent with shell commands, but perhaps if we try a specific example we can see how we fare. A good example would be where it says in the wiki,

[quote]World-writable directories will allow file writing by any user on the machine. These directories can be mass-scanned so this attack has been surfacing quickly. Even after you’ve checked all the above options this step must be performed. Even if you’re sure you didn’t make any permission mistakes, some less security-aware software vendors or plugin developers often use system commands or language-native permission-management functions to make some directories (usually ones used for caching and temporary files, session files etc) to ease installation and management.

To scan for directories with world-writable permissions use the UNIX find tool

[/quote]

(http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites)

I tried that and it produced no output. Hopefully, that would mean that I don’t actually have any world-writable directories. However, obviously one should not rely on that. Maybe it produced no output because the communications link just went down.

So I tried to find an option to the ‘find’ command that would produce a summary line at the end saying how many files it matched. Then my automatic site-checking job could grep the log file for a line saying something like “0 file(s) matched”.

I couldn’t find any such option. Could someone help please or suggest another approach?

~Tom


#2

You are correct, if nothing is found there is no output returned.

Here is a good learning exercise for you.

$ find . -type d -perm -o=w
$ mkdir test_world
$ chmod 777 test_world
$ find . -type d -perm -o=w
./test_world
$ rm -rf test_world

The first line, returned no output.
The second line creates the directory test_world
The third line changes the permission of test_world that we just created
Line 4 runs the command again.
the 5th line shows us the output of find, the directory we just created and made world writable.
The 6th line is dangerous (be careful of typo’s), however you could also use the less dangerous ‘rmdir test_world’ assuming that you are removing an empty directory.

Two notes:
$rm -rf directoryname
the -rf means Recursively and Forcefully which translates to “even if this directory is not empty remove it AND everything under it without further warnings” and is a good fast way to make a directory go away, but can be dangerous if you don’t realize it’s power.

$find . -type d -perm -o=w
using ‘find .’ is very common, but is subject to the current directory. Literally the . means ‘current path’ so if you for example had previously typed
$cd DOMAINNAME.COM/wordpress (All caps means use your domain name, not DOMAINNAME.COM and ‘cd’ is the change directory command)
then executed the find command you would only be looking in the wordpress folder and below, and if there was say a phpbb folder also at the domain root, we would not be checking there with the ‘find’ command.

If you have just logged into the shell, and have not yet used ‘cd’ then . would be your users home directory or /home/USERNAME and using ‘find . -type d -perm -o=w’ would infact check your users entire file structure.

You can always find out what . means using Print Working Dir, or ‘pwd’
$pwd
/home/USERNAME
$cd DOMAINNAME.COM
$pwd
/home/USERNAME/DOMAINNAME.COM


#3

Thank you Lakerat, that confirms my suspicions.

How would I as a non-expert Dreamhost customer be able to distinguish between the ‘find’ command running successfully (i.e. silently) and the communications link going down intermittently?

Maybe there is a simple additional option to the ‘find’ command which would cause it to positively indicate success; or maybe there is an easy alternative approach; but until this kind of thing is sorted out, the question remains:

are the tools provided by Dreamhost for self-help site-checking fit for use by non-experts?

~Tom


#4

Maybe I’m missing what you are saying, but these aren’t really tools provided by dreamhost, they are linux/unix shell commands. They are fairly easy to use once you get the hang of it, and most everyday commands aren’t too dangerous to use. There are a few common exceptions to that, like the ‘rm -rf’ example I gave above but even that command is only dangerous to you and your files–it won’t delete other users directories/files or system directories/files, but in general the basics are easy, straight forward, and not dangerous.

It’s true that Linux comes in various different flavors and distributions, and there are even choices when it comes to command shells, but for command shells (also called a command interpreter) the most commonly used is bash and that is the default at dreamhost when you create your shell access. Although they can differ slightly through the various linux flavors, they are all pretty much the same here at dreamhost or anywhere else you might use a bash shell --AND-- most of the commands and special characters (especially the basics and the concepts) have been the same for 20+ years. It’s true that as things change and evolve a command might get more options, or there might be new commands, but the basics and the concepts haven’t changed in a long time.

The reason that commands such as ‘find’ run the way they do is because in many cases you want to do something else with the output. This is often referred to as “redirection” and “piping”.

An example of simple redirection would be to take the output of your command and send it to a file.

$ find . -type d -perm -o=w > myfindoutput.txt

that’s the same command as yesterday but we added “> myfindoutput.txt” to the end. That says, instead of putting the output in the terminal window on the screen, take that output and put it in a file called myfindoutput.txt the magic is done by the redirection character >

An example of a simple pipe would be

$ find . -type d -perm -o=w | more

here we added “| more” to then end, and what that says is take my output and pipe it (or send it) as the input to a different command, in this case “more”, what “more” does is pause the output at one screenful as it sends it to your terminal window. In the example in my post above the “find” command only had one line of output, that easily fits onto the screen. But what if it had 100 or 500 lines, then we would probably want to add “| more” to break that up so that it doesn’t scroll by too fast to read, after one screenful it would pause and say “–more–” at the bottom of the screen and wait until we hit the spacebar to get another screenful. There are some other keys you can hit too like “q” to quit (and throw away the rest of what we haven’t seen yet) or the enter key to advance one line at time, thru the rest of the output.

It may seem confusing and like alot to remember at first, but the concept to grasp is “simple commands” are the building blocks, that may be joined to other commands to form something more complex. You might also take a string of those commands an put them together into a file, and then it’s called a script. As you learn more about the building blocks it’s relatively easy to begin to string them together and that’s what creates the power of the shell.

The whole thing may seem relatively easy to me because I learned this way first. GUI’s like Windows came later. For the most part tho, once you get over the scare factor of “the shell”, it’s easy and fast to use. Your hands stay on the keyboard more there is less need to move and click the mouse. And in most cases anything that is dangerous will warn you first (unless you told it not to warn you like adding the f in the command “rm -rf”)

My advice would be, create a separate subdomain with a separate user to use for your learning and find a few tutorials and just start to experiment, maybe find some online tutorials (google “bash tutorial”). If you’re the book type instead of an online tutorial type just pick up a “for dummies” book at a book store or library and start going thru it. If you have created that learning environment by making a separate sub-domain and user, you really aren’t going to mess anything up. Then as you get the hang of it you can use what you have learned on your “live” environment.

When you have questions, you have lots of friends! At the command prompt try some of these things

$ man find
"man" means manual and “man find” means you want to read the manual page for the command “find”.
$ info find
is an alternate manual page, I prefer man pages to info pages personally but to each his own…
$ find --help
short command syntax help, less info that man or info would give you.

and so on and so forth… try man, info or -–help on any command.

search the dreamhost wiki, or Google is your friend too, try searches for “bash find” “bash chmod” “bash ls”

and lastly forums like this one, where people are always willing to help out.

It’s not hard to pick up and use, and it’s not going to change and be all_differnt with the next release.


#5

Lakerat you are a goldmine. May I present the problem in a more specific form, and hopefully you will come up with a solution.

Putting together what we know so far, here is a windows .bat file to check if my user at dreamhost has any world-writable directories.

@ start /min /wait putty -load "dreamhost" -l %1 -pw %2 -m dw.sh @ gawk "/^\./ { print }" dreamhost.log | grep . > nul @ if errorlevel 1 echo congratulations, user %1 has no world-writable directories at dreamhost

As you can see, it takes a user name and password as arguments, loads the putty session ‘dreamhost’ (which has been set up to connect to my server at dreamhost and write the log to ‘dreamhost.log’), and runs the file ‘dw.sh’ (which contains the single line ‘find . -type d -perm -o=w’) in a dreamhost shell; then it selects any lines starting with the character ‘.’ from the log file, and finally says “congratulations” if there aren’t any.

So I ran this .bat file, and it said “congratulations, user [xxx] has no world-writable directories at dreamhost”.

Well here is my question: how can I check that the ‘find’ command actually ran and produced no output? Maybe it did produce output, but the output didn’t arrive in the log file because the communications link went down briefly.

~Tom


#6

If you can write a windows .bat file you can do shell scripts too :wink: Actually they are easier! I had to do a windows .bat file the other day and about pulled my hair out.

Log into your shell and type
$ mkdir world_write_test
$ chmod 777 world_write_test

then run your windows .bat file. When your all done use

$ rm -rf world_write_test

to get rid of that directory you created for the test.

What would I do different?

Either write that as a shell script that’s after it’s debugged runs by cron and emails the output to me (if I really wanted to keep checking everyday or something)

Or if i just wanted to have a bookmark or windows desktop icon I could click to check you could do a little php that runs the find command in a shell and output it in a webpage buried somewhere like http://MYDOMAIN.COM/private/worldwritecheck.php

then you could even do an .htaccess file so it would only let you (via IP address restriction, password or both) look at the private directory, then either bookmark it or make a desktop icon that opens that page.

It’s actually easier and has less dependencies than the .bat file you made.

[hr]
Also: Rereading your question one more comment…

Something should error somewhere “if the communications link went down briefly” putty itself probably.

Your putty session should be set up as ssh with an RSA authorized_key file tho, and not passing a password, like you are.
see http://wiki.dreamhost.com/SSH and scroll down to passwordless login[hr]
Another approcah you could take to making sure you get output via your method is add a second line to dw.sh
echo check complete!


#7

Good point! If we do more of the processing in the shell, then we can turn “silence = success” into “noise = success” before sending it down the communications link. I’ve changed the script to

and this I believe works (the echo should arrive only if the ‘find’ command produced no output). Now I’m feeling better, thanks.

~Tom


#8

Today I found out some more things that I was doing wrong yesterday, and one of them is that ‘putty’ is the wrong tool for this job;

‘plink’ is much better, as it sends terminal output to stdout instead of to a window, so we can dispense with the log file. This simplifies the .bat file down to one line.

Also, I adopted your useful suggestion of doing passwordless login. Very nice! And now that passwords are no longer part of the equation, it becomes convenient to handle all the users in one go, starting with a text file which simply lists the user names.

So let us suppose we start with the file users.txt, containing (for example)

user1 user2 user3

and the new simplified .bat file is

where the script file dw.sh is almost the same as yesterday but can now also specify the $USER:

So running the .bat file produces output like this (for example):

user1 has no world-writable directories user2 has no world-writable directories user3 has no world-writable directories

For simplicity I’ve omitted the final step, which would be to strip the output down to the first word on each line and check that the result is byte-for-byte identical with the file users.txt that we started with; but I suppose this should be easy enough to add.

Well my question remains: why are Dreamhost customers being asked to figure this kind of thing out for themselves? I’m still not happy with the assumption that if ‘find’ produces no output, it means that all is well. If Dreamhost wants us to check our sites against corruption which occurs through no fault of our own, then I think they should provide much more in the way of nicely packaged site-checking utilities.

~Tom


#9

‘find’ is a linux standard command utility that is used for many things, no output simply means it didn’t find anything. It also has errorout if you used bad syntax or it didn’t execute correctly for some reason.

Couldn’t agree more on a nice tubeable script that those of us who care to use it could implement. The problem is that those that would care to use it, would all want it do do something different than it does. Users would tweak it to their needs and wants, and then when dreamhost updated the original, the users wouldn’t pick it up becasue they would have to diff it to their copy and spend time re-implanting there tweaks.

bobocat (I wonder where he went–he’s been silent a few days) started a wikipage on this subject that you can find here: http://wiki.dreamhost.com/Detecting_intrusions


#10

People that don’t agree to the ToS, or do not conform to it, should probably seek a different host.


#11

The fallaciousness of your quibble aside, webmasters should be encouraged to learn about shell commands, especially before they run in and blindly issue commands they may have read on the Internet without understanding the outcome.

Point in case:

You must have missed the part where he said “…it helps to read up before you do anything.”

The find command does not need to produce output. That is not it’s purpose.

Fallacy based conjecture is bad enough, but ^that is patently outrageous.

If you want to check your site against corruption that may occur through fault of your own, then you should avail yourself of tools that you will use in order to alleviate said corruption and/or potential points of corruptibility.


#12

You are advocating narrowing down the Dreamhost customer base, keeping the do-it-yourself enthusiasts and high priests. It will be interesting to see if your advocacy succeeds.

~Tom


#13

Taking into account your (now expected) diversionary response; I can but assume that you understood completely that which was conveyed.


#14

Hi. You found my response diversionary? Well it’s true I didn’t respond to your technical points, and that’s because I found what you said so bizarre that I thought it not worth commenting on.

Perhaps I was mistaken about that, and I should have tried to comment. So let’s see.

Here is what I was saying on the previous page: for security verification, especially through a telecomms link, the ‘silence means success’ paradigm of unix should be translated into a ‘noise means success’ paradigm.

Thus, for example, instead of

and being happy if that produces no output, it would be better to do

and match the result of that against a scripted expectation.

In that context, I found your remark “The find command does not need to produce output. That is not it’s purpose.” so bizarre that I don’t know what to make of it.

~Tom


#15

Perhaps you find it bizarre because you don’t understand it’s function.

It’s called “find”. It finds things. If you want it to do other things you have to instruct it to do other things.

RTFM: http://ss64.com/bash/find.html

There is no “‘silence means success’ paradigm of unix”. Stop jumping to conclusions man.