Information
All user home directories must not have group write or world writable access.
Rationale:
Group or world-writable user home directories may enable malicious users to steal or modify data, or to gain other user's system privileges. Disabling read and execute access for users, who are not members of the same group, allows for appropriate use of discretionary access control by each user.
Impact:
Should have minimal impact as the default already excludes group and other (world) write access. If many different groups are used (i.e., more than 'staff') there may be some impact if users in different groups are used to sharing files via there home directories.
Solution
Change any home directories which have group or world writable access:
#!/usr/bin/ksh -e
lsuser -R files -a id home ALL | while read name ids homes rest;
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge 200 ]]; then
home=$(echo ${homes} | cut -f2 -d =)
if [[ ${home} == '/dev/null' ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf '%-32s does not exist; locking account named [%s]
' ${home} ${name}
chuser -R files account_locked=true $name
else [[ ${home} != '/' && ${home} != '/dev/null' ]]
/usr/bin/perl -e '$f=$ARGV[0]; $m=((stat $f)[2] & 0022); exit($m)' ${home}
|| chmod og-w ${home}
fi
fi
done
NOTE: The permission change is automatically applied to all accounts with a user ID (uid) greater or equal to 200. Also, if the HOME directory has already been defined to something special (here, /dev/null) no change is made to the account attributes.
To automate the process for new users see Additional Information below.
Default Value:
drwxr-wr-w (or Directory, 755)
Additional Information:
Needs update.
To automate this during account creation (mkuser) a customized mkuser.sys script named /etc/security/mkuser.sys.custom must be created and ensure that chmod is called with either
chmod u=rwx,g=rx,o= $1
or
chmod og=-w $1
Likely the command will look something like:
mkdir -p $1 && chmod og-w $1