Skip to content

File Permissions Security Audit

chmodsecurityfind
5 min read
Matching toolChmod Permissions Builder

Quick Answer

Linux file permissions control who can read, write, or execute a file. Each file has three permission groups — owner, group, and other — each with read (4), write (2), and execute (1) bits. The permission 644 means the owner can read and write (6), while group and others can only read (4). The permission 755 adds execute for all, which directories need so users can enter them. World-writable files with permission 777 let any user or process overwrite the file — on a web server this means a compromised PHP script can replace your application files. The audit script uses find with -perm 777 to locate these dangerous files and saves a report. The safe recursive pattern is two find commands: one sets files to 644, another sets directories to 755 — never chmod -R 644 because that removes execute bits from directories and breaks navigation. chmod and find are base utilities on every Linux distribution, so the audit and the fix both run without installing anything.

I spent a genuinely stupid ten minutes at my own desk re-typing an SSH passphrase I was certain I knew, getting bounced every single time, convinced I'd somehow forgotten a key I'd used that morning. I hadn't. The key file had ended up at mode 0644 — readable by every account on the box — and ssh was refusing to touch it. That's the part that fooled me: SSH treats a private key the group or world can read as compromised and ignores it outright, and depending on the client the rejection can look like an ordinary auth failure, so you blame your fingers instead of the permission bits.

Once I went looking, the key wasn't the only thing I'd left careless. A scan turned up files sitting world-writable that I'd chmod 777'd at some point to make a problem go away and never tightened back. On my own single-user box the blast radius was small, but the habit is the kind that quietly becomes a hole the moment anything else can run code as another user. The script below is the audit I now run against a directory to surface world-writable files before they surface as an incident — and to remind me what the correct modes actually are, which was the part I wasn't willing to keep guessing at.

The permission audit I run on my own files now

Paste this into a file called permissions-audit.sh. It scans a target directory for world-writable files and saves a report when it finds them.

bash
#!/bin/bash # permissions-audit.sh — BashSnippets.xyz # Audit and report dangerous file permissions set -euo pipefail CHECK="✓" CROSS="✗" SCAN_DIR="${1:-/var/www}" DANGEROUS_PERMS="777" REPORT_FILE="/tmp/perms-audit-$(date +%Y%m%d).txt" echo "Scanning: $SCAN_DIR" echo "Looking for world-writable files ($DANGEROUS_PERMS)..." echo "" FOUND=$(find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f 2>/dev/null) if [ -z "$FOUND" ]; then echo "$CHECK No $DANGEROUS_PERMS files found in $SCAN_DIR" else echo "$CROSS DANGER: World-writable files found:" echo "$FOUND" echo "$FOUND" > "$REPORT_FILE" echo "" echo "Report saved to: $REPORT_FILE" fi echo "" echo "--- Recommended Permissions ---" echo "Files: chmod 644 (rw-r--r--)" echo "Directories: chmod 755 (rwxr-xr-x)" echo "Executables: chmod 755 (rwxr-xr-x)" echo "SSH keys: chmod 600 (rw-------)" echo "Private dirs: chmod 700 (rwx------)"

What this script checks

find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f searches for files with exact 777 permissions. Those files are world-writable, which means any user or compromised process can overwrite them.

Running the audit

Step 1 — Create the script file

bash
nano permissions-audit.sh

Paste the script above, then press Ctrl+X → Y → Enter to save.

Step 2 — Set your scan directory

The script accepts a directory as an argument. No editing required — just pass the path when you run it:

Target directoryWhat it scans
/var/wwwWeb server files — the most common audit target
/homeAll user home directories
/etcSystem config files — should never be world-writable
/srvHosted application data

Step 3 — Make it executable and run the audit

bash
chmod +x permissions-audit.sh ./permissions-audit.sh /var/www

If any 777 files are found, you will see:

text
Scanning: /var/www Looking for world-writable files (777)... ✗ DANGER: World-writable files found: /var/www/html/uploads/shell.php /var/www/html/cache/data.tmp Report saved to: /tmp/perms-audit-20260603.txt

If nothing is found, you get a clean result:

text
✓ No 777 files found in /var/www

Step 4 — Fix flagged files

For each file in the report, apply the correct permission based on its type:

bash
# Regular files — readable by all, writable only by owner chmod 644 /var/www/html/uploads/shell.php # Directories — owner can enter and write, others can enter and read chmod 755 /var/www/html/cache/ # Scripts and executables — same as directories chmod 755 /var/www/html/deploy.sh # Sensitive files — owner only chmod 600 /var/www/.env

Run the audit again after fixing to confirm the report is clean:

bash
./permissions-audit.sh /var/www

chmod Basics

Octal mode

7 = rwx (read+write+execute) 6 = rw- (read+write) 5 = r-x (read+execute) 4 = r-- (read only) 0 = --- (no permissions)

Format: chmod [owner][group][other] file

bash
chmod 644 file.txt # owner rw, group r, other r chmod 755 script.sh # owner rwx, group rx, other rx chmod 600 id_rsa # owner rw, no one else

Symbolic mode

bash
chmod u+x script.sh # add execute for owner chmod go-w file.txt # remove write for group and other chmod a+r file.txt # add read for all (a = all)

Common Permission Patterns

PatternOctalUse Case
rw-r--r--644Regular files, configs, web assets
rwxr-xr-x755Directories, executables, scripts
rw-------600SSH private keys, secrets
rwx------700Private directories
rw-rw-r--664Shared group files

Recursive Changes

Recursive permission changes are where people usually break deploys. Directories need the execute bit so users and processes can enter them.

bash
chmod -R 755 /var/www/html # Fix entire web root chmod -R 644 /var/www/html # DON'T DO THIS — breaks directories find /var/www/html -type f -exec chmod 644 {} \; # Files only find /var/www/html -type d -exec chmod 755 {} \; # Dirs only

Never use chmod -R 777

chmod -R 777 makes everything world-writable. On a shared server or web host, that means anyone who can run code as another user can overwrite your files, plant backdoors, or break your app.

Auditing with find

find is the permission audit tool you already have installed. These searches help you spot dangerous files before they become incidents.

bash
find / -perm 777 -type f 2>/dev/null # All 777 files on system find /var/www -perm -o+w -type f # World-writable web files find /home -perm 600 -name "*.key" # Find SSH keys with correct perms find / -perm -4000 -type f 2>/dev/null # Find SUID files (security audit)

chown — Changing Ownership

Permissions decide what the owner, group, and everyone else can do. chown changes who the owner and group are.

bash
chown user file.txt # change owner chown user:group file.txt # change owner and group chown -R www-data:www-data /var/www # Fix web server ownership chown --reference=ref.txt target.txt # Copy ownership from another file

The permission traps that bite hardest

Never use chmod -R 777

chmod -R 777 makes everything world-writable. On a shared server or web host, that means anyone who can run code as another user can overwrite your files, plant backdoors, or break your app.

Safe permissions to memorize

SSH private keys must be 600 — SSH will refuse to use them otherwise. Web files: 644 for files, 755 for directories. Use find + -exec instead of chmod -R to avoid breaking directory execute bits. Audit world-writable files on new servers immediately.

Frequently Asked Questions

How do I find world-writable files in Linux?

Run: find / -perm -o+w -type f 2>/dev/null. The -o+w flag matches any file where the "other" category has write permission. On a web server, scope it to the web root: find /var/www -perm -o+w -type f.

What file permissions should a web server use?

Files should be 644 (owner can read/write, everyone else read-only). Directories should be 755 (owner can enter and write, others can only enter and read). Never use 777 on a shared or internet-facing server.

How do I fix file permissions recursively without breaking directories?

Use two find commands — one for files, one for directories:

bash
find /var/www/html -type f -exec chmod 644 {} \; find /var/www/html -type d -exec chmod 755 {} \;

chmod -R 644 breaks directories by removing their execute bit, which prevents anyone from entering them.

What is a SUID file and why is it a security risk?

SUID (Set User ID) means the file runs as its owner's permissions rather than the caller's. On a root-owned binary, that means any user who can run it gets root-level access for that execution. Find them with: find / -perm -4000 -type f 2>/dev/null.

What does chmod 600 do?

chmod 600 gives the file owner read and write permission, and removes all access from the group and others. It is the required permission for SSH private keys — SSH will refuse to use a key with looser permissions. After setting correct key permissions, the SSH key setup script handles generating the key pair and copying the public key to remote servers.

Part of the Linux Security collection

BashSnippets logo

Written by Anguishe

Creator of BashSnippets.xyz

bashsnippets.xyz/about

Run this script on a real Linux server

Get $200 free credit — DigitalOcean

Get $200 Free →

Affiliate link · we earn a commission

Need a domain for your next project?

Register with Namecheap — free WHOIS privacy included

Check Domain Prices →

Affiliate link · we earn a commission

PAID RESOURCE — $9

The Production Bash Toolkit

6 scripts + shared library + 52-page field guide. The production layer the free snippets don't cover.

Get the Toolkit →

Related Snippets

Delete Old Log Files

Unmanaged log files silently fill /var/log until disk writes fail and services crash. find -mtime deletes .log files older than N days — preview with -print before removing from production.

Bash Error Handling with set -euo pipefail

Bash silently continues after failed commands by default — a broken cd followed by rm -rf destroys the wrong directory. set -euo pipefail exits on first failure before damage spreads.

Kill a Process with pkill and pgrep

The ps/grep/copy-PID/kill workflow takes four steps every time you need to stop a process. pkill by name collapses that to one command — pgrep -l previews matches before terminating.

Frequently Asked Questions

faq — snippet

How do I run this script?

Save as perm-audit.sh, set SCAN_DIR, run chmod +x perm-audit.sh, then execute ./perm-audit.sh to generate a permission report.

faq — snippet

Does this work on macOS?

Yes. find -perm works on macOS. SUID/SGID scanning behaves the same on BSD find.

faq — snippet

How do I find world-writable files in Linux?

Run find /path -type f -perm -002 or find /path -perm 777 to locate files writable by all users.

faq — snippet

What file permissions should a web server use?

Files 644, directories 755. Never chmod -R 644 — that removes execute bits from directories and breaks navigation.

← All Snippets↑ Back to top