Skip to content

Ensure that User Home Directories are not Group-Writable or World-Readable

An XCCDF Rule

Description

For each human user of the system, view the permissions of the user's home directory:

# ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions:
# chmod g-w /home/USER
# chmod o-rwx /home/USER

warning alert: Functionality Warning

This action may involve modifying user home directories. Notify your user community, and solicit input if appropriate, before making this type of change.

warning alert: Warning

This rule is deprecated in favor of the file_permissions_home_directories rule.Please consider replacing this rule in your files as it is not expected to receive updates as of version 0.1.62.

Rationale

User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs.

ID
xccdf_org.ssgproject.content_rule_file_permissions_home_dirs
Severity
Medium
References
Updated



Remediation - Shell Script


for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
    # the permission is already defined as expected, therefore not impacting in possible integrity
    # check systems that also check inodes timestamps.
    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;

Remediation - Ansible

- name: Get all local users from /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - CCE-83638-7