4.1.2.9 Ensure all directories in root PATH access is configured

Information

To secure the root users executable PATH, all directories must not be group and world writable.

There should not be group or world writable directories in the root user's executable path. This may allow an attacker to gain super user access by forcing an administrator operating as root to execute a Trojan horse program.

Solution

Search and report on group or world writable directories in root's PATH. The command must be run as the root user. The script below traverses up each individual directory PATH, ensuring that all directories are not group/world writable and that they are owned by root or the bin user:

echo "/:${PATH}" | tr ':' '
' | grep "^/" | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
print "Checking ${DIR}"
while [[ -d ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] && print " WARNING ${DIR} is world writable" || print " ${DIR} is not world writable"
[[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] && print " WARNING ${DIR} is group writable" || print " ${DIR} is not group writable"
[[ "$(ls -ld ${DIR} |awk '{print $3}')" != @(root|bin) ]] && print " WARNING ${DIR} is not owned by root or bin"
DIR=${DIR%/*}
done
done

NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable are marked with "WARNING"

To manually change permissions on the directories:

To remove group writable access:

chmod g-w <dir name>

To remove world writable access:

chmod o-w <dir name>

To remove both group and world writable access:

chmod go-w <dir name>

To change the owner of a directory:

chown <owner> <dir name>

To fully automate the PATH directory permission changes execute the following code as the root user:

echo "/:${PATH}" | tr ':' '
' | grep "^/" | sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -d ${DIR} ]]
do
[[ "$(ls -ld ${DIR})" = @(d???????w? *) ]] &amp;&amp; chmod o-w ${DIR} &amp;&amp; print "Removing world write from ${DIR}"
[[ "$(ls -ld ${DIR})" = @(d????w???? *) ]] &amp;&amp; chmod g-w ${DIR} &amp;&amp; print "Removing group write from ${DIR}"
DIR=${DIR%/*}
done
done

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 68a9e37e582984e9c61a5b8b37c4512843f48bca97ea1873714d9f8b23c7a199