6.1.11 Ensure world writable files and directories are secured

Information

World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) man page for more information.

Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.

Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.

This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.

Solution

- World Writable Files:
- It is recommended that write access is removed from other with the command ( chmod o-w <filename> ), but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file.

- World Writable Directories:
- Set the sticky bit on all world writable directories with the command ( chmod a+t <directory_name> )

Run the following script to:

- Remove other write permission from any world writable files
- Add the sticky bit to all world writable directories

#!/usr/bin/env bash

{
l_smask='01000'
a_path=(); a_arr=() # Initialize array
a_path=(! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "/sys/kernel/security/apparmor/*" -a ! -path "/snap/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/sys/fs/selinux/*")
while read -r l_bfs; do
a_path+=( -a ! -path ""$l_bfs"/*")
done < <(findmnt -Dkerno fstype,target | awk '$1 ~ /^s*(nfs|proc|smb)/ {print $2}')
# Populate array with files
while IFS= read -r -d $'0' l_file; do
[ -e "$l_file" ] &amp;&amp; a_arr+=("$(stat -Lc '%n^%#a' "$l_file")")
done < <(find / ( "${a_path[@]}" ) ( -type f -o -type d ) -perm -0002 -print0 2>/dev/null)
while IFS="^" read -r l_fname l_mode; do # Test files in the array
if [ -f "$l_fname" ]; then # Remove excess permissions from WW files
echo -e " - File: \"$l_fname\" is mode: \"$l_mode\"
- removing write permission on \"$l_fname\" from \"other\""
chmod o-w "$l_fname"
fi
if [ -d "$l_fname" ]; then
if [ ! $(( $l_mode &amp; $l_smask )) -gt 0 ]; then # Add sticky bit
echo -e " - Directory: \"$l_fname\" is mode: \"$l_mode\" and doesn't have the sticky bit set
- Adding the sticky bit"
chmod a+t "$l_fname"
fi
fi
done < <(printf '%s
' "${a_arr[@]}")
unset a_path; unset a_arr # Remove array
}

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 33f58a5e1e1d5e96f831cd8c351d06229fb6f3959a7fe6fd5c4c069199bddda7