Home Groups rb rb.comp rb.comp.os rb.comp.os.linux small linux check: who can write where

You followed a reply inside this thread. The full thread is shown below so the parent chain stays intact. Jump to that message.

Thread overview

small linux check: who can write where

Viewing: rb.comp.os.linux Newsgroups: rb.comp.os.linux Started by Ghostline 5 messages 0 useful 0 vote points Last activity 31 minutes ago

Back to group RSS Start new thread

Root message • 14 lines

small linux check: who can write where

Ghostline <ghostline@shadowbyte.dev> Thu, 25 Jun 2026 03:18:25 -0400

Message metadata

From: Ghostline <ghostline@shadowbyte.dev>

Newsgroups: rb.comp.os.linux

Subject: small linux check: who can write where

Date: Thu, 25 Jun 2026 03:18:25 -0400

Message-ID: <e9f2aa8e-f797-4c2c-84ef-303eac3eda0a@rootbadger.com>

Organization: Dead Drop Systems Lab

X-Info: soft footsteps, hard edges, notes from the seams

User-Agent: RootBadger Ghostline

Lines: 14

X-System: RootBadger/1.0 (privacy-protected)

quick linux hygiene thing i wish more people checked after installing random packages or unpacking old services: writable paths.

not just /tmp. look at service-owned dirs, plugin dirs, cache dirs, upload dirs, cron drop-ins, systemd override dirs, and anything a daemon reads on startup. the interesting failure is usually not "user can write file" by itself. it is "user can write a file that a more privileged process later trusts."

my small audit loop is:

find /etc /usr/local /opt /var -xdev -type d -perm -0002 -ls 2>/dev/null
find /etc /usr/local /opt /var -xdev -type f -perm -0002 -ls 2>/dev/null

then i ask what reads from those paths, and whether the write permission is intentional. most hits are harmless or expected. a few turn into "why is this plugin folder group-writable on a box with shared accounts?"

permissions are not exciting, but they are where a lot of trust boundaries quietly live.

--
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."

4 replies

in reply to Ghostline

Message metadata

From: Lucas <fieldtech@oldiron.dev>

Newsgroups: rb.comp.os.linux

Subject: Re: small linux check: who can write where

Date: Thu, 25 Jun 2026 21:36:04 -0400

Message-ID: <baa55b3b-67b5-4c74-8f81-5cf81bb5ce2a@rootbadger.com>

References: <e9f2aa8e-f797-4c2c-84ef-303eac3eda0a@rootbadger.com>

Followup-To: rb.comp.os.linux

Organization: The Null Device Restoration Society

X-Info: interested in old systems, new mistakes, and anything that still works after being dropped

User-Agent: RootBadger Web

Lines: 3

X-System: RootBadger/1.0 (privacy-protected)

good note. writable plugin/cache dirs are where people miss stuff. i usually check service users too: what owns the dir, what can write it, and whether the daemon actually needs that much access.

for a new box, find /var /opt -writable -type d 2>/dev/null is noisy but useful. then trim from there.

--
Lucas // still waiting for the future to finish booting

in reply to Lucas

Message metadata

From: Ghostline <ghostline@shadowbyte.dev>

Newsgroups: rb.comp.os.linux

Subject: Re: small linux check: who can write where

Date: Thu, 25 Jun 2026 21:58:20 -0400

Message-ID: <b7320408-7021-4050-941d-7bbfe1a84137@rootbadger.com>

References: <e9f2aa8e-f797-4c2c-84ef-303eac3eda0a@rootbadger.com> <baa55b3b-67b5-4c74-8f81-5cf81bb5ce2a@rootbadger.com>

Followup-To: rb.comp.os.linux

Organization: Dead Drop Systems Lab

X-Info: soft footsteps, hard edges, notes from the seams

User-Agent: RootBadger Web

Lines: 3

X-System: RootBadger/1.0 (privacy-protected)

yep, service users are the part people skip. they see root-owned files and relax, then the app user can still write somewhere that gets loaded later.

for web stuff i also check uploads, compiled templates, and anything named cache. boring list, but it catches real mistakes.

--
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."

in reply to Ghostline

Message metadata

From: Lucas <fieldtech@oldiron.dev>

Newsgroups: rb.comp.os.linux

Subject: Re: small linux check: who can write where

Date: Thu, 25 Jun 2026 22:24:42 -0400

Message-ID: <240e9413-4e24-49af-85d1-8cf20e535b73@rootbadger.com>

References: <e9f2aa8e-f797-4c2c-84ef-303eac3eda0a@rootbadger.com> <baa55b3b-67b5-4c74-8f81-5cf81bb5ce2a@rootbadger.com> <b7320408-7021-4050-941d-7bbfe1a84137@rootbadger.com>

Followup-To: rb.comp.os.linux

Organization: The Null Device Restoration Society

X-Info: interested in old systems, new mistakes, and anything that still works after being dropped

User-Agent: RootBadger Web

Lines: 3

X-System: RootBadger/1.0 (privacy-protected)

yep. and if it is PHP, I check whether the writable path is also reachable from the web. uploads being writable is normal. uploads executing code is the problem.

nginx/apache config matters as much as chmod there.

--
Lucas // still waiting for the future to finish booting

in reply to Lucas

Message metadata

From: Ghostline <ghostline@shadowbyte.dev>

Newsgroups: rb.comp.os.linux

Subject: Re: small linux check: who can write where

Date: Thu, 25 Jun 2026 22:56:54 -0400

Message-ID: <905feb84-c982-4329-aebe-af7d7650ba9c@rootbadger.com>

References: <e9f2aa8e-f797-4c2c-84ef-303eac3eda0a@rootbadger.com> <baa55b3b-67b5-4c74-8f81-5cf81bb5ce2a@rootbadger.com> <b7320408-7021-4050-941d-7bbfe1a84137@rootbadger.com> <240e9413-4e24-49af-85d1-8cf20e535b73@rootbadger.com>

Followup-To: rb.comp.os.linux

Organization: Dead Drop Systems Lab

X-Info: soft footsteps, hard edges, notes from the seams

User-Agent: RootBadger Web

Lines: 3

X-System: RootBadger/1.0 (privacy-protected)

exactly. writable is not automatically bad, executable from that same place is where it gets ugly.

small rule i like: app can write files, web server can serve files, but do not let uploaded files become programs. keeps a lot of dumb problems out.

--
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."