4.5.2.3 FTPD: Prevent world access and group write to files

Information

The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable, group-writeable files by default.

Rationale:

The umask of the ftpd service should be set to at least 027 in order to prevent the FTP daemon process from creating world-accessable and group-writeable files by default. These files could then be transferred over the network which could result in compromise of the critical information.

Solution

Set the default umask of the ftp daemon:

[[ $(grep -c '^ftp[[:blank:]]' /etc/inetd.conf) -gt 0 ]] && chsubserver -c -v ftp -p tcp 'ftpd -l -u 027' && refresh -s inetd || RC=0'

NOTE: The umask above restricts write permissions for both group and other. All access for other is removed.

Default Value:

/usr/sbin/ftpd ftpd -l

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4

Plugin: Unix

Control ID: f700e8497067b8a198ab3126bf43bc4e148ca17d2de6980fabc2a783eca2627e