All geek questions in one place

Recursively find files that are not public

I would like to recursively find all the files in my public_html folder that are not publicly accessible (i.e. those files that will cause 403 error). Is there a bash command for this? I am using Linux servers running apache if that matters. Thanks.

+6
source share
2 answers

Use the find :

 find . ! -perm -o=r

It will search for files in the current directory and subdirectories with file permission so that the others group cannot read this file.

The man page for find provides some examples of these parameters.

You can run this command as the www-data user:

 find . ! -readable

To find all files that are NOT read by the web server.

+7
source

Note. This answer was originally written, and mcleod_ideafix's answer contained the following broken command: find . -perm -or find . -perm -or ; The last section of this answer explains why it cannot work.

 find . ! -perm -o=r
  • matches all files and directories in the current directory subtree ( . )
    • to limit only file matching, add -type f .
  • who do not have ( ! ), have read permission ( r ), set for the security principle "others (world)" ( o )

This works as intended if all of the scanned files were not created by the user account in the context of which the web server is running and does not belong to the group of which the web server account is a member. This is usually the case.

The command above is POSIX compatible .

mcleod_ideafix's answer offers a more robust option available with the GNU find (non-standard) -readable :

When launched in the context of a web server user account (on Linux, www-data ) this will correspond only to files and directories that the web server cannot read, regardless of which user and group belong to the file:

 sudo -u www-data find . ! -readable -prune

Note that -prune prevents attempts to descend into unreadable subdirectories and thereby suppresses warnings.

  • If you want to limit compliance only to files, this becomes more complex:
    sudo -u www-data find . ! -readable \( -type f -print -o -prune \)

As for what doesn't work :

  • Commands such as s find . -perm 700 find . -perm 700 and find . -perm 600 find . -perm 600 will correspond to files with this exact mode ( 700 translates to u=rwx,go= , 600 to u=rw,go= ), so you will need to create commands for all possible permissions of the user and group to find all matches of interest.
  • find . -perm -or find . -perm -or fundamentally broken and invariably matches any file or directory :
    • Prefix - values ​​passed to -perm indicate that all appropriate permissions will be set in the corresponding files.
    • -perm allows only a positive coincidence of permissions (what IS is installed, as opposed to what is NOT installed), therefore it is fundamentally impossible to express "compliance only if this permission is NOT installed" with just -perm only.
      • While -r supported syntactically (because it has valid chmod syntax), it is pointless here and results in a lack of-op.
      • Technically, -or tells -perm subtract (delete) the read permission bit for "others" from the initial value of the mode mask used for matching; since this is an initial value of 000 or, symbolically, a= , any attempt to subtract permissions from this will be no-op, i.e. has no effect. To express it with the immortal words of Billy Preston and Bruce Fisher: Nothin 'from nothin' leaves nothin
      • The net effect is that no restrictions apply to the permissions of potentially mapped files or directories, so that all elements are unconditionally the same.
    • So the only option is to have -perm itself positive ( -perm -o=r ) and then negate the result by putting the find negation operator ! in front of him.
+2
source

Source: https://habr.com/ru/post/986431/

More articles:


All Articles