ForumGeneral DiscussionWorld Writeable files

You need to log in to create posts and topics. Login · Register

World Writeable files

neiltorda
98 Posts

January 7, 2024, 4:54 pm

Quote from neiltorda on January 7, 2024, 4:54 pm

Another security remediation finding show world writeable files as part of the default config as shown below.
Do these files need to be 777 or can they be set to a more restrictive permission set without effecting the operation of Petasan?

The following world writable files were found.

• /opt/petasan/log/PetaSAN.log (-rwxrwxrwx)
• /usr/bin/targetcli-fb (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/alua.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/fabric.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/__init__.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/node.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/root.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/target.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/tcm.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/utils.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/__init__.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_backstore.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_node.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_root.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_target.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/version.py (-rwxrwxrwx)
• /var/lib/graphite/graphite.db (-rw-rw-rw-)

 

Another security remediation finding show world writeable files as part of the default config as shown below.
Do these files need to be 777 or can they be set to a more restrictive permission set without effecting the operation of Petasan?

The following world writable files were found.

• /opt/petasan/log/PetaSAN.log (-rwxrwxrwx)
• /usr/bin/targetcli-fb (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/alua.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/fabric.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/__init__.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/node.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/root.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/target.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/tcm.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/rtslib/utils.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/__init__.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_backstore.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_node.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_root.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/ui_target.py (-rwxrwxrwx)
• /usr/lib/python3/dist-packages/targetcli/version.py (-rwxrwxrwx)
• /var/lib/graphite/graphite.db (-rw-rw-rw-)

 

#1

admin
2,930 Posts

January 7, 2024, 5:18 pm

Quote from admin on January 7, 2024, 5:18 pm

just wondering where you ran the scanning software from. We only have root access to the system.

just wondering where you ran the scanning software from. We only have root access to the system.

#2

neiltorda
98 Posts

January 7, 2024, 6:26 pm

Quote from neiltorda on January 7, 2024, 6:26 pm

We use Nexposé from Rapid7. It uses scan nodes that can authenticate to our systems to scan for security issues.

 

I logged directly into the system and went to one of the directories listed above and these are the permissions at that point:

root@psan1:/usr/lib/python3/dist-packages/rtslib# ls -alh

total 204K

drwxr-xr-x   3 root root 4.0K May  3  2023 .

drwxr-xr-x 165 root root  12K Aug  8 11:17 ..

-rwxrwxrwx   1 root root  16K Sep 18  2018 alua.py

-rwxrwxrwx   1 root root  17K Sep 18  2018 fabric.py

-rwxrwxrwx   1 root root 1.6K Dec  7  2018 __init__.py

-rwxrwxrwx   1 root root 8.5K Sep 18  2018 node.py

drwxr-xr-x   2 root root 4.0K May  3  2023 __pycache__

-rwxrwxrwx   1 root root  16K Sep 18  2018 root.py

-rwxrwxrwx   1 root root  55K Sep 18  2018 target.py

-rwxrwxrwx   1 root root  41K Dec  7  2018 tcm.py

-rwxrwxrwx   1 root root  16K Sep 18  2018 utils.py

root@psan1:/usr/lib/python3/dist-packages/rtslib# 

 

So the files are owned by root:root, but the other user also has rwx permissions.

 

I am just curious if they need to be set as 777 or if they can be set to 770 (for example)

 

Thanks,
neil

We use Nexposé from Rapid7. It uses scan nodes that can authenticate to our systems to scan for security issues.

 

I logged directly into the system and went to one of the directories listed above and these are the permissions at that point:

root@psan1:/usr/lib/python3/dist-packages/rtslib# ls -alh

total 204K

drwxr-xr-x   3 root root 4.0K May  3  2023 .

drwxr-xr-x 165 root root  12K Aug  8 11:17 ..

-rwxrwxrwx   1 root root  16K Sep 18  2018 alua.py

-rwxrwxrwx   1 root root  17K Sep 18  2018 fabric.py

-rwxrwxrwx   1 root root 1.6K Dec  7  2018 __init__.py

-rwxrwxrwx   1 root root 8.5K Sep 18  2018 node.py

drwxr-xr-x   2 root root 4.0K May  3  2023 __pycache__

-rwxrwxrwx   1 root root  16K Sep 18  2018 root.py

-rwxrwxrwx   1 root root  55K Sep 18  2018 target.py

-rwxrwxrwx   1 root root  41K Dec  7  2018 tcm.py

-rwxrwxrwx   1 root root  16K Sep 18  2018 utils.py

root@psan1:/usr/lib/python3/dist-packages/rtslib# 

 

So the files are owned by root:root, but the other user also has rwx permissions.

 

I am just curious if they need to be set as 777 or if they can be set to 770 (for example)

 

Thanks,
neil

#3

Post Reply: World Writeable files

Cancel