3.6.3.1 FTPD: Prevent world access and group write to files

Information

The umask of the ftp service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessible, group-writeable files by default.

Rationale:

The umask of the ftp service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessible and group-writeable files by default. These files could then be transferred over the network which could result in compromise of the critical information.

Solution

Set the default umask of the ftp daemon:

[[ $(grep -c '^ftp[[:blank:]]' /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v ftp -p tcp 'ftpd -l -u 027' && refresh -s inetd || RC=0'

NOTE: The umask above restricts write permissions for both group and other. All access for other is removed.

Default Value:

/usr/sbin/ftpd ftpd -l

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 8c59bae5ae6a48479997f284f03daddf5b14134aa5e2ccaf95d72f517a025c9a