topic Re: List group/users access in Operating System - HP-UX

List group/users access

John Ferrara — Wed, 07 Nov 2001 20:42:39 GMT

Does anyone know of a cmd that will list all of the files & directories that a particular group/users has access to and what level of access they have? I've tried "find" and I can't seem to get the correct syntax to list the filename/directory with permissions.

Re: List group/users access

Craig Rants — Wed, 07 Nov 2001 20:47:47 GMT

John

users
find / -user USERNAME -exec ll {} \;

groups
find / -group GROUPNAME -exec ll {} \;

I just threw the -exec part in there but this syntax should work for you.

Good Luck,
C

Re: List group/users access

Roger Baptiste — Wed, 07 Nov 2001 20:48:27 GMT

hi,

to list files/directories
owner by particular user/group
and their permissions:

find $DIR -user -exec ll {} \; | more

(for group -> change -user
to -group
)

HTH
raj

Re: List group/users access

Sridhar Bhaskarla — Wed, 07 Nov 2001 20:49:42 GMT

John,

Did you try

find / -user login_name -exec ll {}\;

I don't think there is any equivalent switch for group.

-Sri

Re: List group/users access

Sridhar Bhaskarla — Wed, 07 Nov 2001 20:50:19 GMT

John,

Ooops..no... You have got -group also there... I never used it before....

-Sri

Re: List group/users access

G. Vrijhoeven — Wed, 07 Nov 2001 20:51:04 GMT

Hi,

OK

for i in `find / -user pipo`
do
echo $i >>filename
ll $i >>filename
echo "##### Next######"
done

Something like this should do it.

Gideon

Re: List group/users access

Darrell Allen — Wed, 07 Nov 2001 21:16:12 GMT

Hi John,

If you indeed want all files and directories a user / group has permissions to, read the man page for find and look at -perm. I've not used it until just now but testing seems to show that -perm -nnn will show the files and directories with a mininum of the perms you specify. Examples:
find . -perm -001 returns those with at least execute bit on for others. It would return --x, -wx, r-x, and rwx for others without regard for user or group
find . -perm -020 returns those with at least write bit on for group. It would return -w-, -wx, -rw, and rwx for group without regard for user and others
Also, the -nnn syntax will get those with suid and sticky bits as well

Combine -perm syntax with -group and -user to get what you want. For example, to find all files and directories that user userA in group groupA has write on:

find / -user userA
obviously if userA owns it he can change perms to include write
find / -group groupA -perm -020
find / -perm -002

I think this can work. Please test before trusting.

Darrell

Re: List group/users access

Darrell Allen — Thu, 08 Nov 2001 15:08:03 GMT

Hi again John,

If using the -exec ll syntax you should make it -exec ll -d {} \; otherwise it will list contents of the matching directories.

I prefer xargs to -exec because it is more performant. xargs takes as many command line args as possible then executes the command once for all those args. If there are more args it will execute the command again for remaining args, and so forth. Test this by comparing the difference between:
timex find . -perm -002 -exec ll -d {} \;
timex find . -perm -002 | xargs ll -d

I did a little more testing with the -perm syntax. It only seems to do AND not OR logic. That is, -perm -007 returns files that are rwx for others, not files that are read, write, execute, OR any combination other than rwx (again, without regard for owner and group permissions). This can get a little cumbersome as shown by the following find commands needed to list all files and directories to which userA in groupA has access of any kind.

find / -user userA | xargs ll -d >/tmp/list
find / -group groupA -perm -010 | xargs ll -d >>/tmp/list
find / -group groupA -perm -020 | xargs ll -d >>/tmp/list
find / -group groupA -perm -030 | xargs ll -d >>/tmp/list
find / -perm -001 | xargs ll -d >>/tmp/list
find / -perm -002 | xargs ll -d >>/tmp/list
find / -perm -003 | xargs ll -d >>/tmp/list
sort -u /tmp/list >list.sorted

I thought that was the answer then I thought about "secondary" groups the user belongs to in /etc/group. You've got to include them so now you have to add something like:

for grp in `grep userA /etc/group | awk -F: '{print $1}'`
do
find / -group $grp -perm -010 | xargs ll -d >>/tmp/list
find / -group $grp -perm -020 | xargs ll -d >>/tmp/list
find / -group $grp -perm -030 | xargs ll -d >>/tmp/list
done

You'd think someone would write a program to do all this. Any takers?

This was probably overkill for your question but I wanted to follow up for my own benefit and then share it with the forums.

One last thing, it's okay and desirable to assign points to all replies to your question, not just the one you choose to use. The first 5 answers to this question were all entered within 4 minutes of each other so please don't disregard them. It would be quite acceptable to give multiple "right" answers 10 points. Also a few points for those where someone tried to answer will encourage them to continue trying.

As for my replies, well it's a case of trying to add more info and completeness for your question. I also spent some time in research which hopefully will help others down the road. And even though I would like some points, I am using my reply just as an example of others where people who spend a little time trying to be helpful should be recognized.

Thanks,
Darrell

Re: List group/users access

James Beamish-White — Thu, 08 Nov 2001 17:32:14 GMT

As noted above, find will do the search, but if you want both user OR group, try:

find / $ -user YOURUSER -o -group YOURGROUP $ -exec ls -ld {} \;

Substitute -a for -o if you want AND.

Note that I used ls -ld so that it picks up directory ownership, and is cross-platform, as solaris doesn't have ll, and I don't know about AIX :-)

James

Re: List group/users access

James Beamish-White — Thu, 08 Nov 2001 17:36:18 GMT

As a response to Darrell's statement, instead of:

for grp in `grep userA /etc/group | awk -F: '{print $1}'`
do
find / -group $grp -perm -010 | xargs ll -d >>/tmp/list
find / -group $grp -perm -020 | xargs ll -d >>/tmp/list
find / -group $grp -perm -030 | xargs ll -d >>/tmp/list
done

try replacing all those finds with

find / -group $grp $ -perm -010 -o -perm -020 -o -perm -030 $ | xargs ls -ld {} \;

Just my 0.02c since we were talking about performance ;-)

James

Re: List group/users access

Darrell Allen — Thu, 08 Nov 2001 22:53:09 GMT

James,

Nice add-on about using () to group the args. Can't believe I've never used that. I will now!

Darrell

Re: List group/users access

John Ferrara — Fri, 09 Nov 2001 14:00:44 GMT

James,

I tried your cmd "find / $ -user YOURUSER -o -group YOURGROUP $ -exec ls -ld {} \;" it came back w/ "bad option" for -o & -a. When I omitted those, I got "missing conjunction" Did I miss something?

John

Re: List group/users access

James Beamish-White — Fri, 09 Nov 2001 14:12:06 GMT

Hi John,

Strange, it works perfectly for me on HP-UX 11.00. What version of HP-UX are you using? Are you able to post your script here so I can take a further look at it?

And are you going to assign points to all the nice people that have posted helping responses? :-)

James

Re: List group/users access

James Beamish-White — Fri, 09 Nov 2001 14:13:46 GMT

Doh! I remember now....

There *has* to be a space in between the $ and the -user, and before the $ at the end of the command. Try again and tell me if it works for you now :-)

Cheers,
James

Re: List group/users access

John Ferrara — Fri, 09 Nov 2001 14:40:52 GMT

BINGO! That was it. Thanks so much. In case you were wondering why I needed this info, my systems get audited on a regular basis. I'm required to submit access for individuals/groups on EVERY directory and file that is on each of my 15 servers!
The previous admin had all of these cmds in his head. I've been the admin for less than a year and sometimes the syntax for these cmds gets a little confusing. Thanks again for your help.

John