Linux file-permission audit — the risky bits

Overview

Three bit tests on a Unix mode: world-writable (0002), setuid (04000), setgid (02000), OR'd into a flag mask.

Why it matters

World-writable and setuid bits are the bread-and-butter of Linux privilege-escalation audits.

Lesson

Why this matters

Two of the first things a Linux audit (and a privilege-escalation check) does: find world-writable files and find setuid/setgid binaries. Both are just bits in the file's mode, and reading them is pure bit masking.

The mode bits

       setuid setgid sticky   owner   group   other
        4000   2000   1000     rwx     rwx     rwx

• world-writable: the other write bit (0002) — anyone can change the file.
• setuid (04000): the program runs as its owner (often root) — a classic privilege-escalation target if misused.
• setgid (02000): runs with the file's group.

A setuid-root binary that's also world-writable is a five-alarm finding.

Your job

Implement int audit_mode(unsigned int mode) returning a bitmask: world-writable (bit 0), setuid (bit 1), setgid (bit 2). It's three independent mode & MASK tests OR'd together.

What this is NOT

• A filesystem scanner — you inspect a mode integer, not real files. Tools like AIDE, Lynis, and auditd do the scanning; this is the check they run per file.

Summary

mode & 0002 / 04000 / 02000 → the risky-bit trio every permission audit checks.

Practice with these exercises

• Audit a file mode for risky bits
• Read the machine type from a PE header