File Permissions Security Audit

chmodsecurityfind
4 min read

Quick Answer

Linux file permissions control who can read, write, or execute a file. Each file has three permission groups — owner, group, and other — each with read (4), write (2), and execute (1) bits. The permission 644 means the owner can read and write (6), while group and others can only read (4). The permission 755 adds execute for all, which directories need so users can enter them. World-writable files with permission 777 let any user or process overwrite the file — on a web server this means a compromised PHP script can replace your application files. The audit script uses find with -perm 777 to locate these dangerous files and saves a report. The safe recursive pattern is two find commands: one sets files to 644, another sets directories to 755 — never chmod -R 644 because that removes execute bits from directories and breaks navigation. Works on Ubuntu 22.04 LTS, Debian 12, Fedora 39, and CentOS 9.

The Script

Paste this into a file called permissions-audit.sh. It scans a target directory for world-writable files and saves a report when it finds them.

bash
#!/bin/bash # permissions-audit.sh — BashSnippets.xyz # Audit and report dangerous file permissions set -euo pipefail CHECK="✓" CROSS="✗" SCAN_DIR="${1:-/var/www}" DANGEROUS_PERMS="777" REPORT_FILE="/tmp/perms-audit-$(date +%Y%m%d).txt" echo "Scanning: $SCAN_DIR" echo "Looking for world-writable files ($DANGEROUS_PERMS)..." echo "" FOUND=$(find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f 2>/dev/null) if [ -z "$FOUND" ]; then echo "$CHECK No $DANGEROUS_PERMS files found in $SCAN_DIR" else echo "$CROSS DANGER: World-writable files found:" echo "$FOUND" echo "$FOUND" > "$REPORT_FILE" echo "" echo "Report saved to: $REPORT_FILE" fi echo "" echo "--- Recommended Permissions ---" echo "Files: chmod 644 (rw-r--r--)" echo "Directories: chmod 755 (rwxr-xr-x)" echo "Executables: chmod 755 (rwxr-xr-x)" echo "SSH keys: chmod 600 (rw-------)" echo "Private dirs: chmod 700 (rwx------)"

What this script checks

find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f searches for files with exact 777 permissions. Those files are world-writable, which means any user or compromised process can overwrite them.

Step-by-Step Setup

Step 1 — Create the script file

bash
nano permissions-audit.sh

Paste the script above, then press Ctrl+X → Y → Enter to save.

Step 2 — Set your scan directory

The script accepts a directory as an argument. No editing required — just pass the path when you run it:

Target directoryWhat it scans
/var/wwwWeb server files — the most common audit target
/homeAll user home directories
/etcSystem config files — should never be world-writable
/srvHosted application data

Step 3 — Make it executable and run the audit

bash
chmod +x permissions-audit.sh ./permissions-audit.sh /var/www

If any 777 files are found, you will see:

text
Scanning: /var/www Looking for world-writable files (777)... ✗ DANGER: World-writable files found: /var/www/html/uploads/shell.php /var/www/html/cache/data.tmp Report saved to: /tmp/perms-audit-20260603.txt

If nothing is found, you get a clean result:

text
✓ No 777 files found in /var/www

Step 4 — Fix flagged files

For each file in the report, apply the correct permission based on its type:

bash
# Regular files — readable by all, writable only by owner chmod 644 /var/www/html/uploads/shell.php # Directories — owner can enter and write, others can enter and read chmod 755 /var/www/html/cache/ # Scripts and executables — same as directories chmod 755 /var/www/html/deploy.sh # Sensitive files — owner only chmod 600 /var/www/.env

Run the audit again after fixing to confirm the report is clean:

bash
./permissions-audit.sh /var/www

chmod Basics

Octal mode

7 = rwx (read+write+execute) 6 = rw- (read+write) 5 = r-x (read+execute) 4 = r-- (read only) 0 = --- (no permissions)

Format: chmod [owner][group][other] file

bash
chmod 644 file.txt # owner rw, group r, other r chmod 755 script.sh # owner rwx, group rx, other rx chmod 600 id_rsa # owner rw, no one else

Symbolic mode

bash
chmod u+x script.sh # add execute for owner chmod go-w file.txt # remove write for group and other chmod a+r file.txt # add read for all (a = all)

Common Permission Patterns

PatternOctalUse Case
rw-r--r--644Regular files, configs, web assets
rwxr-xr-x755Directories, executables, scripts
rw-------600SSH private keys, secrets
rwx------700Private directories
rw-rw-r--664Shared group files

Recursive Changes

Recursive permission changes are where people usually break deploys. Directories need the execute bit so users and processes can enter them.

bash
chmod -R 755 /var/www/html # Fix entire web root chmod -R 644 /var/www/html # DON'T DO THIS — breaks directories find /var/www/html -type f -exec chmod 644 {} \; # Files only find /var/www/html -type d -exec chmod 755 {} \; # Dirs only

Never use chmod -R 777

chmod -R 777 makes everything world-writable. On a shared server or web host, that means anyone who can run code as another user can overwrite your files, plant backdoors, or break your app.

Auditing with find

find is the permission audit tool you already have installed. These searches help you spot dangerous files before they become incidents.

bash
find / -perm 777 -type f 2>/dev/null # All 777 files on system find /var/www -perm -o+w -type f # World-writable web files find /home -perm 600 -name "*.key" # Find SSH keys with correct perms find / -perm -4000 -type f 2>/dev/null # Find SUID files (security audit)

chown — Changing Ownership

Permissions decide what the owner, group, and everyone else can do. chown changes who the owner and group are.

bash
chown user file.txt # change owner chown user:group file.txt # change owner and group chown -R www-data:www-data /var/www # Fix web server ownership chown --reference=ref.txt target.txt # Copy ownership from another file

Common Mistakes

Never use chmod -R 777

chmod -R 777 makes everything world-writable. On a shared server or web host, that means anyone who can run code as another user can overwrite your files, plant backdoors, or break your app.

Safe permissions to memorize

SSH private keys must be 600 — SSH will refuse to use them otherwise. Web files: 644 for files, 755 for directories. Use find + -exec instead of chmod -R to avoid breaking directory execute bits. Audit world-writable files on new servers immediately.

Frequently Asked Questions

How do I find world-writable files in Linux?

Run: find / -perm -o+w -type f 2>/dev/null. The -o+w flag matches any file where the "other" category has write permission. On a web server, scope it to the web root: find /var/www -perm -o+w -type f.

What file permissions should a web server use?

Files should be 644 (owner can read/write, everyone else read-only). Directories should be 755 (owner can enter and write, others can only enter and read). Never use 777 on a shared or internet-facing server.

How do I fix file permissions recursively without breaking directories?

Use two find commands — one for files, one for directories:

bash
find /var/www/html -type f -exec chmod 644 {} \; find /var/www/html -type d -exec chmod 755 {} \;

chmod -R 644 breaks directories by removing their execute bit, which prevents anyone from entering them.

What is a SUID file and why is it a security risk?

SUID (Set User ID) means the file runs as its owner's permissions rather than the caller's. On a root-owned binary, that means any user who can run it gets root-level access for that execution. Find them with: find / -perm -4000 -type f 2>/dev/null.

What does chmod 600 do?

chmod 600 gives the file owner read and write permission, and removes all access from the group and others. It is the required permission for SSH private keys — SSH will refuse to use a key with looser permissions.

BashSnippets logo

Written by Anguishe

Creator of BashSnippets.xyz

bashsnippets.xyz/about

Run this script on a real Linux server

Get $200 free credit — DigitalOcean

Get $200 Free →

Affiliate link · we earn a commission

Need a domain for your next project?

Register with Namecheap — free WHOIS privacy included

Check Domain Prices →

Affiliate link · we earn a commission

Related Snippets

Delete Old Log Files

Use find and mtime to automatically delete log files older than N days. Prevent disk bloat.

Bash Error Handling with set -euo pipefail

Proper bash error handling using set -euo pipefail — stop scripts on errors, catch undefined variables, handle pipes.

Kill a Process with pkill and pgrep

Use pkill, pgrep, and kill to find and stop processes by name, PID, or pattern.

Frequently Asked Questions

How do I run this script?

Save as perm-audit.sh, set SCAN_DIR, run chmod +x perm-audit.sh, then execute ./perm-audit.sh to generate a permission report.

Does this work on macOS?

Yes. find -perm works on macOS. SUID/SGID scanning behaves the same on BSD find.

How do I find world-writable files in Linux?

Run find /path -type f -perm -002 or find /path -perm 777 to locate files writable by all users.

What file permissions should a web server use?

Files 644, directories 755. Never chmod -R 644 — that removes execute bits from directories and breaks navigation.

← All Snippets↑ Back to top