«
»

Fun with IBM Unix on stud4


Hey, its in the middle of the night and I’m having fun with our wellknown IBM server stud4.tuwien.ac.at.

I noticed that a lot of people do not protect their home directories. In fact, I noticed that mine was dir-readable too. But whats worse is, that some people leave their files readable.

Facts:
Connect to it, end use a find:

ssh stud4.tuwien.ac.at -l e0123456 'find /users*/home* -perm -a+r -print' >homes.list4.accessible

All these files are accessible: Want an excerpt? Here you go:

-rw-r--r--   1 e1543626   stud        692820 Apr 27  2005 /users4/home5/e1543626/00001.jpg
-rw-r--r--   1 e1543626   stud        484867 Apr 27  2005 /users4/home5/e1543626/00002.jpg
-rw-r--r--   1 e1543626   stud       1112039 Nov 29  2004 /users4/home5/e1543626/1653.pdf
-rw-r--r--   1 e1543626   stud        269401 Nov 29  2004 /users4/home5/e1543626/1728.pdf
-rw-r--r--   1 e1543626   stud        124044 Nov 29  2004 /users4/home5/e1543626/2056.pdf
-rw-r--r--   1 e1543626   stud        338262 Nov 29  2004 /users4/home5/e1543626/2934.pdf
-rw-r--r--   1 e1543626   stud        626081 Nov 29  2004 /users4/home5/e1543626/3013.pdf
-rw-------   1 e1543626   stud         10500 Oct 31  2005 /users4/home5/e1543626/Aufgabe3.zip
-rw-r--r--   1 e1543626   stud           174 Oct 19  2005 /users4/home5/e1543626/Daten.java
-rw-------   1 e1543626   stud       1070460 Feb  7  2006 /users4/home5/e1543626/Domen_C.zip
-rw-------   1 e1543626   stud           506 Nov 15 16:06 /users4/home5/e1543626/Drafts
-rw-------   1 e1543626   stud         23552 Dec 17  2004 /users4/home5/e1543626/Honorarnote Edi.doc
-rw-------   1 e1543626   stud          8601 Nov 26 20:04 /users4/home5/e1543626/Junk
-rw-r-----   1 e1543626   stud             0 Oct  3  2001 /users4/home5/e1543626/LIZ/.ICAClient/.eula_accepted

(I replaced the real username with an obviously impossible id) But you get the idea.

So who are the bad guys. Maybe I want ot warn you. Using teh above list we retrieved, we can find out:

cat homes.list4.accessible|cut -d "/" -f 4|sort |uniq -c|sort -n

Several users with hundreds of files.

Let’s dig deeper …

ssh stud4.tuwien.ac.at -l e0123456 'find /users*/home* -perm -a+w -print' >homes.list.writable

Uhm… ok. I understand with temporary files it might not matter, but public_html? Hello? Invitation? Guys, you should really set your permission bits correctly!

Also I think the KDE NFS desktop gives the files in the home folder too much permissions.

This entry was posted on Sunday, December 3rd, 2006 and is filed under fun with Linux. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)

  1. No trackbacks yet.