7.1.11 Ensure world writable files and directories are secured

Information

World writable files are the least secure. Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. See the chmod(2) man page for more information.

Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.

Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.

This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.

Solution

- World Writable Files:
- It is recommended that write access is removed from other with the command ( chmod o-w <filename> ), but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file.

- World Writable Directories:
- Set the sticky bit on all world writable directories with the command ( chmod a+t <directory_name> )

Run the following script to:

- Remove other write permission from any world writable files
- Add the sticky bit to all world writable directories

#!/usr/bin/env bash

{
l_smask='01000'
a_file=(); a_dir=() # Initialize arrays
a_path=(! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/*" -a ! -path "/snap/*")
while IFS= read -r l_mount; do
while IFS= read -r -d $'0' l_file; do
if [ -e "$l_file" ]; then
l_mode="$(stat -Lc '%#a' "$l_file")"
if [ -f "$l_file" ]; then # Remove excess permissions from WW files
echo -e " - File: \"$l_file\" is mode: \"$l_mode\"
- removing write permission on \"$l_file\" from \"other\""
chmod o-w "$l_file"
fi
if [ -d "$l_file" ]; then # Add sticky bit
if [ ! $(( $l_mode &amp; $l_smask )) -gt 0 ]; then
echo -e " - Directory: \"$l_file\" is mode: \"$l_mode\" and doesn't have the sticky bit set
- Adding the sticky bit"
chmod a+t "$l_file"
fi
fi
fi
done < <(find "$l_mount" -xdev ( "${a_path[@]}" ) ( -type f -o -type d ) -perm -0002 -print0 2> /dev/null)
done < <(findmnt -Dkerno fstype,target | awk '($1 !~ /^s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ &amp;&amp; $2 !~ /^(/run/user/|/tmp|/var/tmp)/){print $2}')
}

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 0f80e5c5359d8859328422ef5b54fe94bd3ac5a18c35bfb0a68fd6ee1c05c0ee