4.7.1.3 Home directory: write access restricted to 'owner'

Information

Home directories must be writeable only by the owner. This recommendation audits (or removes) any write permission given via traditional file mode permissions (using chmod). Neither should a home directory have any permissions managed (whether permit or deny) via ACL's.

Rationale:

HOME directories with group or world write access enable malicious users to add files or directories, or even remove them if the directory 'T' (SVTX) bit is not also set. While this does not necessarily allow access to data - existing data might be destroyed (unlink()) or replaced (new file added with same name). These modifications could be used, e.g., to use the users authorizations to gain other system privileges.

Disabling read and execute access for world and/or group might be part of a company security policy - and the audit and remediation scripts will need to be modified to reflect this addition.

The use of ACL's is discouraged because their effect is not immediately visible using standard tools. They must be identified (locating inodes with permission bit 0200000000 set) as active and read using aclget before the actual permissions granted or denied are known. Better is to deny outside access to home (ie, user) related data. When data must be shared create an area outside of ${HOME}.

Impact:

There should be no impact - at least as far a world permissions are concerned. There is a potential that all members in the group staff or system might see minimal impact - if their systems have, or had, a default umask of 002 when their accounts were created.

Accounts created with a default umask of 022 or stricter will not be impacted, unless a user account modified their HOME directory mode bits to permit group and/or other write access.

Solution

For all local accounts with UID >= 200:

Remove write permission from home directories that have group or world write access:

#!/usr/bin/ksh -e
# home_mode_acl: 4.8.1.3
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
typeset -i UIDCK=$1
typeset -i ret=0
if test $UIDCK == 0; then
UIDCK=200
fi
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
uid_check=$(echo ${ids} | cut -f2 -d =)
if [[ ${uid_check} -ge ${UIDCK} ]]; then
home=$(echo ${homes} | cut -f2 -d =)
locked=$(echo ${locks} | cut -f2 -d =)
if [[ ${home} == '/dev/null' || ${locked} == 'true' ]]; then
continue
elif [[ ! -d ${home} ]]; then
/usr/bin/printf '%-32s does not exist; locking account named [%s]
' ${home} ${name}
chuser -R files account_locked=true $name
else [[ ${home} != '/' && ${home} != '/dev/null' ]]
perl -e '$f=$ARGV[0]; $m=(stat $f)[2];
exit (($m & 022) + 1) if ($m & 0200000000);
exit($m & 022);' $home
# exit($m&022 +1) if ($m & 0200000000) else exit ($m &022); ' $home
ret=$?
[[ $ret == 0 ]] && continue
if (( $ret & 022 )); then
printf '%s: had group or world write mode
' $home
chmod og-w ${home}
fi
if (($ret & 1)); then
printf '%s: had ACL defined and enabled
' $home
rm -rf /tmp/$$/${home}
mkdir -p /tmp/$$/${home}
aclget /tmp/$$/${home} | aclput ${home}
rm -rf /tmp/$$/${home}
fi
fi
fi
done

NOTE: The permission change is automatically applied to all accounts with a user ID (uid) greater or equal to 200. Also, if the HOME directory has already been defined to something special (here, /dev/null) no change is made to the account attributes.

To automate the process for new users see Additional Information below.

Default Value:

drwxr-wr-w (or Directory, 755)

Additional Information:

To automate this during account creation (mkuser) a customized mkuser.sys script named /etc/security/mkuser.sys.custom must be created and ensure that chmod is called with either

chmod u=rwx,g=rx,o= $1

or

chmod og=-w $1

Likely the command will look something like:

mkdir -p $1 && chmod og-w $1

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: ccedccff6a9fb9a7cc163b5bd71b860d56b1bf77ff083ce4c2226cc4a8a081e9