Search code examples
shellunixuser-permissionsdirectory-permissions

How to know if a given user has read and/or write permissions for a given path


I should start by saying I consider myself a proficient user. But today I had the need to automate this and was stumped.

Let's suppose I am root, and as such I'm able to traverse the whole filesystem but I can't run "sudo" nor "su".

I have a given user and a given path.

How can I check, over the CLI, whether the user will be able to read and/or write to the path?

I know this sounds easy, but keep in mind that:

  • We're not, nor can we become, the user.
  • We can't just rely on the final directory permissions, as permissions higher up the path may be blocking access to the final directory.
  • We can't just rely just on the directory group permissions either, in this age of inherited groups.

I'm assuming this can't be done through any command, and I'd need to first gather all user groups, then traverse the whole hierarchy of the path, check read permissions all along the path and then read & write for the final directory. Sounds awfully expensive, though.


Solution

  • Tag me a scripting guru!

    check_access() {
      checked_file=$1
      target_user=$2
      result=PASS
    
      groups=`id -G $target_user | sed -e 's| | -o -group |g' -e 's|^|\\( -group |' -e 's|$| \\)|'`
    
      while [ $checked_file != / ]; do 
        find $checked_file -maxdepth 0 \
          -type f \( \
            \( -user $target_user -perm 0400 \) \
            -o \( $groups -perm 0040 \) \
            -o -perm 0004 \
          \) -o -type d \( \
            \( -user $target_user -perm 0100 \) \
            -o \( $groups -perm 0010 \) \
            -o -perm 0001 \
          \) >/dev/null 2>&1 || result=FAIL
        checked_file=`dirname $checked_file`
      done
      echo $result
    }