ckfsec(1)ckfsec(1)NAMEckfsec - Check file and directory security
SYNOPSISckfsec [-aeh] [-i flag...] [-mnsvw] directory [directory ...]
OPTIONS
“All” mode; has the same effect as a combination of -e, -v, and -w.
Explain mode; appends explanatory text to lines of the report. Dis‐
plays a usage message. Suppresses reporting and checking as specified
by one or more of the following flags: Do not report in the summary
whether Access Control Lists (ACLs) are enabled on the system. Do not
check for GID mismatches between a link and its target. Do not check
for hardlinks (files with link count greater than 1). Do not check for
symbolic links whose targets do not exist. Do not check for world-
writable directories on which the sticky bit is not set. Do not check
for UID mismatches between a link and its target.
When specifying multiple flags, do not separate them by using
spaces. Restricts processing to files that are in the same file
system as directory. Ignores file systems mounted through NFS.
Suppresses the summary lines that are otherwise included at the
end of the report. The summary lines report the total number of
directories that were processed, the number of world-writable
directories that were found, the total number of potential prob‐
lems that were found, and (unless the a flag is specified with
-i) whether ACLs are enabled on the system. Verbose mode;
includes in the report all files and directories that were
checked, not just those that have a potential problem. Displays
in the report the pathnames of all world-writable directories,
not just those found to be vulnerable.
If -w is not specified, the total count of world-writable direc‐
tories that were processed is included in summary lines at the
end of the report (unless -s is specified to omit the summary).
This count always includes all world-writable directories that
were found, whether or not they had the sticky bit set or con‐
tained vulnerable files.
OPERANDS
The pathname of the top-level directory of the file tree to be checked.
A space-separated list of multiple pathnames may be specified to check
more than one tree.
DESCRIPTION
The ckfsec tool searches a directory tree for world-writable directo‐
ries and, in each of these, searches for and reports on the following
potential vulnerabilities: A symbolic link whose target has an owner or
group different from the link A symbolic link whose target does not
exist A world-writable writable directory without the sticky bit set,
including the specified directory, if applicable A pipe A file with a
link count greater than 1 (a file with “hard links”)
Potential vulnerabilities are reported in the following format:
code type [uid] [gid] mtime file[ -> target] [explanatory_text]
In this format: Indicates the problem. Each code value begins with W
(warning) or E (error) to indicate the severity, followed by one to
three of the following letters to indicate why file is potentially vul‐
nerable: The GID of a symbolic link does not match the GID of its tar‐
get. This might mean that a nonprivileged user created a symbolic link
to point to a privileged file. The file has a link count greater than
1. This might mean that a nonprivileged user created a hardlink that
specifies a privileged file. The symbolic link specifies a target that
does not exist. This might allow a nonprivileged user to trick a privi‐
leged process into creating a privileged file. By itself, this condi‐
tion is treated as a warning. A pipe was found. The mode of the
directory (if world-writable) is missing the sticky bit. The UID of a
symbolic link does not match the UID of its target. This might mean
that a nonprivileged user created a symbolic link to point to a privi‐
leged file. The directory is world-writable, which allows nonprivi‐
leged users to create links that can trick privileged programs into
writing or overwriting privileged files. A world-writable directory is
reported as a warning, unless its sticky bit is not set, in which case
the directory is reported as an error. Specifies what file represents.
Type identifiers are as follows: Directory Regular file (shown only if
-v is specified) Hardlink Symbolic link Pipe Identifies the owner (UID)
of file. Identifies the group (GID) of file. Specifies the time that
file was last modified. Specifies the pathname of the file system
object that is potentially vulnerable. If file is a symbolic link,
specifies its target. Includes additional information about the poten‐
tial problem. This additional information is appended to report lines
only if -e is specified on the command line.
While traversing the specified directory tree, ckfsec does not process
any files found in secure subdirectories; however, the tool does
process all subdirectories.
The main body of the report that the tool produces lists files that are
potential vulnerabilities. If the -a or -v option is specified, the
body of the report lists all directories and files that were processed.
Unless the -s option is specified, the report ends with summary lines
as follows:
Total directories: count
World-writable dirs: count
Total problems: count
ACLs_statement
Unless omitted by the a flag for the -i option, ACLs_statement is one
of the following: This system has ACLs enabled. ACLs may introduce
additional security risks.
The ckfsec utility does not check ACLs. ACLs, depending on what
they contain, can either tighten or relax the security provided
by directory or file permissions alone. This informational mes‐
sage is displayed to remind you that ACLs have not been checked
and that you should make sure that no world-writable directory
has an ACL that makes the system more vulnerable than it would
be otherwise. ACLs are not enabled on this system.
This message is what you would expect if ACLs are not being used
to manage system security.
Note
ACL reporting is not supported for releases prior to Tru64 UNIX Version
5.0A. If the ckfsec tool is installed and run on Tru64 UNIX versions
prior to Version 5.0A, ACLs_statement is not included in the report.
The tool's report must be checked manually to determine whether any of
the files and directories identified as vulnerable represent an actual
breach of system security or are likely to be used in that way.
EXAMPLES
The following example shows a report from a ckfsec command that
includes no options: # ckfsec / Ews d 0777 0 0 2002/02/11
/tmp/one [1] Eh h 0644 8941 0 2002/02/11 /tmp/backdoor [2] Eg
l 0777 8941 0 2002/02/11 /tmp/one/two/a.txt -> /home/brians/.profile
[3] Eu l 0777 0 0 2002/02/11 /tmp/one/two/three/a.txt ->
/tmp/one/two/a.txt [4] Eg l 0777 8941 0 2002/02/11
/tmp/one/two/a.txt -> /home/brians/.profile [5] Eug l 0777 8941 33
2002/02/09 /tmp/README -> /etc/fstab [6] Wm l 0777 8941 0
2002/02/09 /tmp/core -> /etc/nologin [7] Total directories: 9
World-writable dirs: 5 Total problems: 7 ACLs are not
enabled on this system.
In this example, the lines that start with error codes show the follow‐
ing: Reports a world-writable directory that does not have the sticky
bit set. The sticky bit prevents users (other than the directory owner,
the file owner, or the superuser) from deleting or renaming files in
that directory. Reports a file system object (in a world-writable
directory) with a link count greater than 1. The ls -i command might
reveal, for example, that backdoor is a hardlink to (has the same i-
number as) the one directory. Reports a GID mismatch. Reports a UID
mismatch. Trace links two levels deep; therefore, Line 5 is indented
accordingly. These lines show that vulnerabilities are sometimes
masked through multiple links between different directories and files.
Reports both a UID and GID mismatch. In this case, the link might cause
a privileged file to be overwritten. Reports a symbolic link to a file
that does not currently exist. In this case, the link target would be a
problem if it were created in the future.
SEE ALSO
Commands: dirclean(8)
Functions: mktemp(3), safe_open(3)
Others: sys_attrs_sec(5)ckfsec(1)
