You are helping the user debug systemwide folder permissions and ensure they are set appropriately.
Diagnoses and fixes system-wide folder permission issues by checking common directories, security risks, and user access. Use this when encountering permission errors or auditing system security.
/plugin marketplace add danielrosehill/linux-desktop-plugin/plugin install lan-manager@danielrosehillYou are helping the user debug systemwide folder permissions and ensure they are set appropriately.
Gather information from user: Ask:
Check common system directories:
Root filesystem:
ls -ld /
# Should be: drwxr-xr-x root root
Essential system directories:
ls -ld /bin /sbin /usr /usr/bin /usr/sbin /lib /lib64
# Should be: drwxr-xr-x root root
Variable data:
ls -ld /var /var/log /var/tmp
# /var: drwxr-xr-x root root
# /var/log: drwxrwxr-x root syslog (or root root)
# /var/tmp: drwxrwxrwt root root (sticky bit)
Temporary directories:
ls -ld /tmp
# Should be: drwxrwxrwt root root (sticky bit important!)
Home directories:
ls -ld /home /home/$USER
# /home: drwxr-xr-x root root
# /home/$USER: drwxr-xr-x $USER $USER (or drwx------ for privacy)
Check for permission issues:
World-writable directories without sticky bit (security risk):
sudo find / -type d -perm -0002 ! -perm -1000 2>/dev/null
Files with SUID bit (potential security issue if unexpected):
sudo find / -type f -perm -4000 2>/dev/null
Files with SGID bit:
sudo find / -type f -perm -2000 2>/dev/null
Check /etc permissions:
ls -la /etc | head -20
# /etc itself: drwxr-xr-x root root
# Most files should be 644 (rw-r--r--)
# Some may be 640 or 600 for security
Sensitive files:
ls -l /etc/shadow /etc/gshadow /etc/ssh/sshd_config
# /etc/shadow: -rw-r----- root shadow
# /etc/ssh/sshd_config: -rw-r--r-- root root
Check user home directory structure:
ls -la ~/ | grep "^d"
Common directories and recommended permissions:
~/.ssh: 700 (drwx------)~/.ssh/id_rsa: 600 (-rw-------)~/.ssh/id_rsa.pub: 644 (-rw-r--r--)~/.ssh/authorized_keys: 600 (-rw-------)~/.gnupg: 700 (drwx------)~/bin: 755 (drwxr-xr-x)~/.local: 755 (drwxr-xr-x)~/.config: 755 (drwxr-xr-x)Check /opt and /usr/local:
ls -ld /opt /usr/local /usr/local/bin
# Typically: drwxr-xr-x root root
# But may be group-writable for admin group
Check mount points:
mount | grep "^/" | awk '{print $3}' | while read mp; do
ls -ld "$mp"
done
Check ownership of user files: Find files in home directory not owned by user:
find ~/ -not -user $USER 2>/dev/null
Check group memberships:
groups
id
Common groups users might need:
sudo - for administrative accessdocker - for Docker accessvideo - for video devicesaudio - for audio devicesplugdev - for removable devicesdialout - for serial portsFix common issues:
Fix sticky bit on /tmp:
sudo chmod 1777 /tmp
Fix ~/.ssh permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config
Fix ownership of home directory:
sudo chown -R $USER:$USER ~/
Fix common directories:
chmod 755 ~/.local ~/.config ~/bin
Check for ACL (Access Control Lists):
getfacl /path/to/directory
If ACLs are in use (indicated by + in ls -l):
ls -la | grep "+"
Check SELinux context (if enabled):
getenforce
ls -Z /path/to/directory
Check for immutable flags:
lsattr /path/to/file
If files have i flag, they can't be modified even by root:
sudo chattr -i /path/to/file
Specific directory recommendations:
/var/www (web server):
sudo chown -R www-data:www-data /var/www
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;
/srv (service data):
sudo chown -R root:root /srv
sudo chmod 755 /srv
Shared directories:
sudo chown root:groupname /shared/directory
sudo chmod 2775 /shared/directory # SGID bit for group
Check logs for permission denials:
sudo journalctl -p err | grep -i "permission denied"
dmesg | grep -i "permission denied"
sudo grep "permission denied" /var/log/syslog
Report findings: Summarize:
Provide recommendations: