6.1.10 Ensure no world writable files exist (Scored)

Level 1 - Server
Level 1 - Workstation 

Unix-based systems support variable settings to control access to files. World writable files are the least secure. See the chmod(2) man page for more information.

Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.

Run the following command and verify no files are returned:

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002

The command above only searches local filesystems, there may still be compromised items on network mounted partitions. Additionally the –local option to df is not universal to all versions, it can be omitted to search all filesystems on a system including network mounted filesystems or the following command can be run manually for each partition:

# find <partition> -xdev -type f -perm -0002

Removing write access for the “other” category (chmod o-w <filename>) is advisable, but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file.

  • ubuntu1604/6/1/10.txt
  • Last modified: 2017/05/04 14:08
  • by