6.2.10 Ensure local interactive user home directories are configured

Information

The user home directory is space defined for the particular user to set local environment variables and to store personal files. While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist.

Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local environment variables set.

Solution

If a local interactive users' home directory is undefined and/or doesn't exist, follow local site policy and perform one of the following:

- Lock the user account
- Remove the user from the system
- Create a directory for the user. If undefined, edit /etc/passwd and add the absolute path to the directory to the last field of the user.

Run the following script to:

- Remove excessive permissions from local interactive users home directories
- Update the home directory's owner

#!/usr/bin/env bash

{
l_output2=""
l_valid_shells="^($( awk -F/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^//{s,/,\\/,g;p}' | paste -s -d '|' - ))$"
unset a_uarr && a_uarr=() # Clear and initialize array
while read -r l_epu l_eph; do # Populate array with users and user home location
a_uarr+=("$l_epu $l_eph")
done <<< "$(awk -v pat="$l_valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd)"
l_asize="${#a_uarr[@]}" # Here if we want to look at number of users before proceeding
[ "$l_asize " -gt "10000" ] && echo -e "
** INFO **
- \"$l_asize\" Local interactive users found on the system
- This may be a long running process
"
while read -r l_user l_home; do
if [ -d "$l_home" ]; then
l_mask='0027'
l_max="$( printf '%o' $(( 0777 & ~$l_mask)) )"
while read -r l_own l_mode; do
if [ "$l_user" != "$l_own" ]; then
l_output2="$l_output2
- User: \"$l_user\" Home \"$l_home\" is owned by: \"$l_own\"
- changing ownership to: \"$l_user\"
"
chown "$l_user" "$l_home"
fi
if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
l_output2="$l_output2
- User: \"$l_user\" Home \"$l_home\" is mode: \"$l_mode\" should be mode: \"$l_max\" or more restrictive
- removing excess permissions
"
chmod g-w,o-rwx "$l_home"
fi
done <<< "$(stat -Lc '%U %#a' "$l_home")"
else
l_output2="$l_output2
- User: \"$l_user\" Home \"$l_home\" Doesn't exist
- Please create a home in accordance with local site policy"
fi
done <<< "$(printf '%s
' "${a_uarr[@]}")"
if [ -z "$l_output2" ]; then # If l_output2 is empty, we pass
echo -e " - No modification needed to local interactive users home directories"
else
echo -e "
$l_output2"
fi
}

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 87f423951b14e59aa528185d2919cc99fe13a40afc8d319f1507379572d40be1