3.3 Ensure world writable directories have the SVTX bit set

Information

The system is audited for world writable directories.

World writable directories are considered as a common application component - usually a location for temporary files.

An audit should be performed on the system to search for the presence of world writable directories. Directories should only be world writable when absolutely necessary, and only with the so-called SVTX bit set. This protects users files from being deleted or renamed.

Solution

- Review the local mounted JFS/JFS2 filesystems using the following command to find all world writable directories missing the SVTX bit:

find / ( -fstype jfs -o -fstype jfs2 ) -type d -perm -o+w ! -perm -1000 -ls
- If a directory must retain world writable access, ensure that SVTX bit is set so that users can only remove the filenames they own:

chmod o+t ${dir}

NOTE: This will leave existing modes while adding the SVTX (also known as sticky bit ) to the directory. The documented meaning of the flag for directories is: Sets the link permission to directories

- Otherwise, remove world-write permission - without modifying the other mode bits:

chmod o-w ${dir}

Impact:

World writable directories exist on UNIX systems (e.g., /tmp, /var/tmp). These directories are needed for normal operations. To protect the files created in the directories the 'links to the inode' (ie, filename) need to be protected so that others may not accidentally, or maliciously - remove or modify the filename.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: Unix

Control ID: 296bb5c1607e1ae15b3913ab877da8e8f19ad129c3dce13fd3d1ac4d5db98a12