6.2.12 Ensure users' dot files are not group or world writable

Information

While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these.

Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges.

Solution

Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy.

The following script will remove excessive permissions on dot files within interactive users' home directories.

#!/bin/bash

awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(/usr)?/sbin/nologin(/)?$/ && $7!~/(/usr)?/bin/false(/)?$/) { print $6 }' /etc/passwd | while read -r dir; do
if [ -d "$dir" ]; then
for file in "$dir"/.*; do
if [ ! -h "$file" ] && [ -f "$file" ]; then
fileperm=$(stat -L -c "%A" "$file")
if [ "$(echo "$fileperm" | cut -c6)" != "-" ] || [ "$(echo "$fileperm" | cut -c9)" != "-" ]; then
chmod go-w "$file"
fi
fi
done
fi
done

See Also

https://workbench.cisecurity.org/files/3796

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 4028f7548bef14ce52591819b196420776fccacf741aeaf45ec8fb9ef0390cc7