Created
December 12, 2011 01:16
-
-
Save davehull/1464008 to your computer and use it in GitHub Desktop.
This Python function analyzes the distribution of uids on a per directory basis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Give this method the output of git://gist.github.com/1464048.git and it will go through the list | |
| and calculate the distribution of uids on a per directory basis. It could be easily modified to do | |
| the same for gids and permissions. | |
| This may be useful to find malicious files in a file system that have unusual uids, say for instance | |
| in a directory like /usr/lib where everything is normally uid 0, an attacker may have an archive that | |
| drops files in the directory with different uids. Yes, I've seen this before. | |
| def get_uid_freq_by_dir(items): | |
| for path_name, file_name in items: | |
| freq = {} | |
| files = [(filename, meta) for filename, meta in file_name.items()] | |
| files.sort() | |
| for filename, meta in files: | |
| uid = int(meta['uid']) | |
| freq[uid] = freq.get(uid, 0) + 1 | |
| # swap uid and cnt without clobbering uniques | |
| uid_cnt = [(cnt, uid) for uid, cnt in freq.items()] | |
| uid_cnt.sort() | |
| if len(uid_cnt) > 1: | |
| print path_name | |
| for cnt, uid in uid_cnt: | |
| print cnt, uid |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment