2.2 Verify world writable directories provide unlink() protection

Information

The system is audited to verify world writable directories provide unlink() protection to file owners.

Rationale:

An audit should be performed on the system to search for the presence of world writable directories. Directories should only be world writable when absolutely necessary, and only with the so-called SVTX bit set. This protects users files from being deleted or renamed.

Impact:

World writable directories exist on UNIX systems (e.g., /tmp, /var/tmp). These directories are needed for normal operations. To protect the files created in the directories the 'links to the inode' (ie, filename) need to be protected so that others may not accidentally, or maliciously - remove or modify the filename.

Solution

Review the local mounted JFS/JFS2 filesystems using the following command to find all world writable directories missing the SVTX bit:

find / ( -fstype jfs -o -fstype jfs2 ) -type d -perm -o+w ! ! -perm -1000 -ls

If a directory must retain world writable access, ensure that SVTX bit is set so that users can only remove the filenames they own:

chmod o+t ${dir}

NOTE: This will leave existing modes while adding the SVTX (also known as sticky bit) to the directory. The documented meaning of the flag for directories is:
Sets the link permission to directories.

Otherwise, remove world-write permission - without modifying the other mode bits:

chmod o-w ${dir}

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c00f7333db8d2e470d73a3ed4466643ba7353e969cfa7a6f38382fedfa7b8dbc