RedHat File and Directory Permissions

Hi!

While applying STIGs to a RHEL7 system, I needed to verify permissions on every file & folder inside each user’s home directory. Finding ID V-204473 states “The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.” If any files are found with a mode more permissive than 0750, this is a finding.

Unfortunately, the Check Text only provides manual verification and fixes. Home directories can contain a ton of files so manual verification is not an option. I wrote bash scripts for both the check and the fix.

#!/bin/bash
# V-204473

if [ $EUID != 0 ]; then
    echo "Please run as superuser."
    exit
fi

cd /home

for D in */; do

   find "/home/$D" -type d -perm /027 -not -iname .\* -exec ls -ld --time-style=long-iso {} \;  | \
   sed -e 's/ /\\ /g' | \
   awk '{print $8}'   | \
   while read line; do
      a=$(stat -c %a ${line});
      echo $a " " ${line}
      chmod o-rwx,g-w ${line}
   done

   find "/home/$D" -type f -perm /027 -not -iname .\* -exec ls -l --time-style=long-iso {} \;  | \
   sed -e 's/ /\\ /g' | \
   awk '{print $8}'   | \
   while read line; do
      a=$(stat -c %a ${line});
      echo $a " " ${line}
      chmod o-rwx,g-w ${line}
   done
done

echo -e "\nDone setting file permissions.\n\n"

The gist of the script is to search the home directories using a permission mask of 027. This means any file that has group write permission (rwxrwxrwx), or any bits set in the public/other class (rwxrwxrwx) will be processed. “Find” executes “ls” which lists the file with its full path. “Sed” escapes any spaces that might be in the filepath or name. Finally the script outputs the name of the file and and its current mode before removing the excess permissions with chmod.

V-204476 is very similar.

#!/bin/bash
# V-204476

if [ $EUID != 0 ]; then
    echo "Please run as superuser."
    exit
fi

cd /home

for D in */; do

   find "/home/$D" -type f -iname ".*" -perm /027 -exec ls -l --time-style=long-iso {} \;  | \
   sed -e 's/ /\\ /g' | \
   awk '{print $8}'   | \
   while read line; do
     a=$(stat -c %a ${line});
     echo $a " " ${line}
     chmod o-rwx,g-wx ${line}
   done
   
done

echo -e "\nDone setting file permissions.\n\n"

Questions, comments, and pull requests are encouraged at Github or in the comments below.