# /etc/periodic/security/110.neggrpperm problem



## t0she3 (Nov 9, 2013)

Hello, 

I have FreeBSD 9.2. I have to big run every night of 110.neggrpperm.

```
echo 'Checking negative group permissions:'
        MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
        n=$(find -sx $MP /dev/null -type f \
            \( \( ! -perm +010 -and -perm +001 \) -or \
            \( ! -perm +020 -and -perm +002 \) -or \
            \( ! -perm +040 -and -perm +004 \) \) \
            -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
        [ $n -gt 0 ] && rc=1 || rc=0
```
I changed 
	
	



```
find -sx $MP /dev/null
```
 to 
	
	



```
n=$(find -sx /home/dragon/sites/root.fs /dev/null -type f \
```
which gives me this result:

```
Checking negative group permissions:
61245010 -rwxrw-r-x  1 root  wheel  578 Apr 17 21:39:28 2010 /home/dragon/sites/root.fs/Backup/App/01/App2/hosting/shop/backup.sh
64622896 -rwxrw-r-x  1 root  wheel  418 Aug 19 00:00:27 2009 /home/dragon/sites/root.fs/rdiff-backup-data/increments/System/BACKUP/shop/backup.old.sh.2013-08-29T01:31:01+03:00.snapshot.gz
64622897 -rwxrw-r-x  1 root  wheel  318 Apr 19 11:59:55 2010 /home/dragon/sites/root.fs/rdiff-backup-data/increments/System/BACKUP/shop/backup.sh.2013-08-29T01:31:01+03:00.snapshot.gz
```
but in log it is over 10000 files.

Where to find the problem?

Greetings
Todor Zahariev


----------



## Anonymous (Nov 9, 2013)

I am a little bit in doubt about what you want to achieve, please indicate.

Fixing the "negative group" issues?
Quieting the script which reports the issues?

In case (A), either add the execute x-flag to the permissions of the group or remove the x-flag from others.

In case (B), add the following line to /etc/periodic.conf

```
daily_status_security_neggrpperm_enable="NO"
```


----------



## t0she3 (Nov 9, 2013)

Hello,

How to make 

"In case (A), either add the execute x-flag to the permissions of the group or remove the x-flag from others."?

Give me an example.

Greetings,
Todor Zahariev


----------



## Anonymous (Nov 9, 2013)

For adding the x-flag to the permissions of the group of a file:
`# chmod g+x /home/dragon/sites/root.fs/Backup/App/01/App2/hosting/shop/backup.sh`

For removing the x-flag from the permissions of others of a file:
`# chmod o-x /home/dragon/sites/root.fs/Backup/App/01/App2/hosting/shop/backup.sh`


----------



## t0she3 (Nov 11, 2013)

Hello,

After using `chmod o-x /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php` there are no changes in the log of 110.neggrpperm:


```
77852049 -rw----r--  1 evoworld  evoworld  223621 Jul  4 19:20:40 2013 /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php
77852050 -rw----r--  1 evoworld  evoworld      10 Jul  4 19:20:40 2013 /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php_expire
```

Where can I see the status of security_neggrpperm? Did I make a mistake?

Greetings,
Todor Zahariev


----------



## Anonymous (Nov 11, 2013)

t0she3 said:
			
		

> ```
> 77852049 -rw----r--  1 evoworld  evoworld  223621 Jul  4 19:20:40 2013 /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php
> 77852050 -rw----r--  1 evoworld  evoworld      10 Jul  4 19:20:40 2013 /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php_expire
> ```



These files got another negative group permissions issue, namely others got read permissions while group got not, i.e. others have higher permissions (4) than group (0): 0-4 = -4 (negative).

Either add the r-flag to group:
`# chmod g+r /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php`
Or remove the r-flag from others:
`# chmod o-r /home/evoworld/evoworld/j15/www/cache/_system/15b52be95a9a930b0d4cabd52ac0c41e.php`



			
				t0she3 said:
			
		

> Where can I see the status of security_neggrpperm?



Run the respective script as user root:
`# /etc/periodic/security/110.neggrpperm`


----------



## t0she3 (Nov 12, 2013)

Hello!

I made a script to change with chmod:


```
for _CFG in `cat LOG`; do
	echo "$_CFG"
	chmod o-x "$_CFG"
	chmod o-r "$_CFG"
done
```

But low joint _[ What? -- Mod. ]_ I get a problem with space strings:

```
"/home/evoworld/evoworld/www_j31/images/com_weever/EVO Logo-3 copy.jpg"
```
space make for 3 pashe._[ What? -- Mod. ]_

Before I use /bin/sh I don't known to fixed script.
Can you help me?

Greetings,
Todor Zahariev


----------



## t0she3 (Nov 17, 2013)

Hello,

I changed the script:


```
#!/bin/sh

IFS='
'
for _CFG in `cat LOG`; do
        echo "$_CFG"
        chmod o-x "$_CFG"
        chmod o-r "$_CFG"
done
```
And everthing came good.

Greetings,
Todor Zahariev


----------

