Detections
Analytics

4.1.2.3 Ensure Home directory write access is restricted to owner

Information

Home directories must be writeable only by the owner This recommendation audits (or removes) any write permission given via traditional file mode permissions (using chmod ). Neither should a home directory have any permissions managed (whether permit or deny) via ACL's.

HOME directories with

group

or

world

write access enable malicious users to add files or directories, or even remove them if the directory 'T' (SVTX) bit is not also set. While this does not necessarily allow access to data - existing data might be destroyed (unlink()) or replaced (new file added with same name). These modifications could be used, e.g., to use the users authorizations to gain other system privileges.

Disabling read and execute access for

world

and/or

group

might be part of a company security policy - and the audit and remediation scripts will need to be modified to reflect this addition.

The use of ACL's is discouraged because their effect is not immediately visible using standard tools. They must be identified (locating inodes with permission bit 0200000000 set) as active and read using aclget before the actual permissions granted or denied are known.Better is to deny outside access to home (ie, user) related data. When data must be shared create an area outside of ${HOME}

Solution

For all local accounts with UID >= 200:

 - Remove write permission from home directories that have group or world write access:

#!/usr/bin/ksh -e
# home_mode_acl: 4.8.1.3
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
typeset -i UIDCK=$1
typeset -i ret=0
if test $UIDCK == 0; then
 UIDCK=200
fi
lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest;
do
 uid_check=$(echo ${ids} | cut -f2 -d =)
 if [[ ${uid_check} -ge ${UIDCK} ]]; then
 home=$(echo ${homes} | cut -f2 -d =)
 locked=$(echo ${locks} | cut -f2 -d =)
 if [[ ${home} == "/dev/null" || ${locked} == "true" ]]; then
 continue
 elif [[ ! -d ${home} ]]; then
 /usr/bin/printf "%-32s does not exist; locking account named [%s]
" ${home} ${name}
 chuser -R files account_locked=true $name
 else [[ ${home} != "/" && ${home} != "/dev/null" ]]
 perl -e '$f=$ARGV[0]; $m=(stat $f)[2];
 exit (($m & 022) + 1) if ($m & 0200000000);
 exit($m & 022);' $home
 # exit($m&022 +1) if ($m & 0200000000) else exit ($m &022); ' $home
 ret=$?
 [[ $ret == 0 ]] && continue
 if (( $ret & 022 )); then
 printf "%s: had group or world write mode
" $home
 chmod og-w ${home}
 fi
 if (($ret & 1)); then
 printf "%s: had ACL defined and enabled
" $home
 rm -rf /tmp/$$/${home}
 mkdir -p /tmp/$$/${home}
 aclget /tmp/$$/${home} | aclput ${home}
 rm -rf /tmp/$$/${home}
 fi
 fi
 fi
done
 -

NOTE: The permission change is automatically applied to all accounts with a user ID ( uid ) greater or equal to 200 Also, if the HOME directory has already been defined to something

special

(here, /dev/null ) no change is made to the account attributes.

 -

To automate the process for new users see Additional Information below.

Impact:

There should be no impact - at least as far a

world

permissions are concerned. There is a potential that all members in the group staff or system might see minimal impact - if their systems have, or had, a default umask of 002 when their accounts were created.

Accounts created with a default umask of 022 or stricter will not be impacted, unless a user account modified their HOME directory mode bits to permit

group

and/or

other

write access.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 477622a8fe4cc4d80b0ba82f5d5f517c981f5f6271b72d9860bf96ca79bb20fa