All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-72025	RHEL-07-020670	SV-86649r1_rule		Medium

Description
If a local interactive user’s files are group-owned by a group of which the user is not a member, unintended users may be able to access them.

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2017-07-08

Details

Check Text ( C-72257r1_chk )
Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of. Check the group owner of all files and directories in a local interactive user’s home directory with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". # ls -lLR /// -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: # grep smithj /etc/group sa:x:100:juan,shelley,bob,smithj smithj:x:521:smithj If the user is not a member of a group that group owns file(s) in a local interactive user’s home directory, this is a finding.

Check Text ( C-72257r1_chk )

Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.

Check the group owner of all files and directories in a local interactive user’s home directory with the following command:

Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".

# ls -lLR ///
-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1
-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2
-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3

If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:

# grep smithj /etc/group
sa:x:100:juan,shelley,bob,smithj
smithj:x:521:smithj

If the user is not a member of a group that group owns file(s) in a local interactive user’s home directory, this is a finding.

Fix Text (F-78377r1_fix)
Change the group of a local interactive user’s files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user’s files and directories, use the following command: Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. # chgrp users /home/smithj/