Skip to main content

Identifying World-Writable Files

A file or directory is "world-writable" if the "Other" permission bits grant write access. In octal notation, this means the last digit is 2, 3, 6, or 7.

World-writable files are a severe security risk. If a configuration file or script is world-writable, any unprivileged user on the system can modify it to execute arbitrary code or alter system behavior.

Finding World-Writable Files

We use the -perm test with the "Any Of" (/) prefix, checking only the write bit for "Other" (which is 0002).

# Find files that anyone can write to
find / -type f -perm /0002 -print 2>/dev/null

Symlinks on Linux always display 777 permissions (lrwxrwxrwx). Because the kernel ignores symlink permissions and enforces the permissions of the target file, symlinks will falsely trigger world-writable audits.

You must explicitly filter them out using -type f or -type d.

# Correct: Only check regular files
find /etc -type f -perm /0002

# Correct: Only check directories
find /etc -type d -perm /0002

World-Writable Directories and the Sticky Bit

World-writable directories (like /tmp or /var/tmp) are necessary for the OS to function. However, they must be protected by the Sticky Bit.

If a directory has the sticky bit set (octal 1000, displayed as t), users can only delete or rename files that they own inside that directory. Without the sticky bit, User A could delete User B's files inside a world-writable directory.

Auditing for the Missing Sticky Bit

Security audits require finding directories that are world-writable (0002) but DO NOT have the sticky bit set (1000).

# Find directories that are world-writable (0002) 
# AND NOT (! -perm -1000) protected by the sticky bit
find / -type d -perm /0002 ! -perm -1000 -print 2>/dev/null

Remediation

If you find unprotected world-writable directories, the remediation is to apply the sticky bit:

chmod +t /path/to/vulnerable/directory