accounts_bad_home_permissions
This built-in function ensures that the home directory of each non-privileged user belongs to the user and that third party users (either belonging to the same group or “everyone”) may not write to it. It is generally recommended that user home directories are set to mode 0755 or stricter (e.g., 0700). This test succeeds if each home directory is configured properly and fails otherwise. Either of the keywords mode
or mask
may be used here to specify desired permission levels for home directories. The mode keyword will accept home directories matching exactly a specified level and the mask keyword will accept home directories that are at the specified level or more secure. If no "mask" tag is found, a default mask of 022 (755) will be applied.
This check can be modified using the following tags:
-
use_valid_shells : [YES | NO] - This reads in shells from /etc/shells and only uses that list against /etc/passwd to determine interactive users
-
ignore_user : “username1 username2” - A space separated list of users to ignore
-
ignore_shell: “shell1 shell2” - A space separated list of shells to ignore.
If third parties can write to the home directory of a user, they can force the user to execute arbitrary commands by tampering with the ~/.profile
, ~/.cshrc
, ~/.bashrc
files.
If files need to be shared among users of the same group, it is usually recommended that a dedicated directory writeable to the group be used, not a user’s home directory.
For any misconfigured home directories, run chmod 0755 <user directory>
and change the ownership accordingly.
To force the check to ignore a directory, use ignore.
Usage
<item>
name: "accounts_bad_home_permissions"
description: "This check reports user accounts that have home directories with incorrect user or group ownerships."
mask: "027"
ignore: "/example/path"
</item>