You are here: Compliance Check Types > Unix Configuration > Built-In Checks > Permissions Management > accounts_bad_home_permissions


This built-in function ensures that the home directory of each non-privileged user belongs to the user and that third party users (either belonging to the same group or “everyone”) may not write to it. It is generally recommended that user home directories are set to mode 0755 or stricter (e.g., 0700). This test succeeds if each home directory is configured properly and fails otherwise. Either of the keywords modeor maskmay be used here to specify desired permission levels for home directories. The mode keyword will accept home directories matching exactly a specified level and the mask keyword will accept home directories that are at the specified level or more secure.

If third parties can write to the home directory of a user, they can force the user to execute arbitrary commands by tampering with the ~/.profile, ~/.cshrc, ~/.bashrc files.

If files need to be shared among users of the same group, it is usually recommended that a dedicated directory writeable to the group be used, not a user’s home directory.

For any misconfigured home directories, run chmod 0755 <user directory> and change the ownership accordingly.



name: "accounts_bad_home_permissions"

description: "This check reports user accounts that have home directories with incorrect user or group ownerships."


Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.