highaccess-controlverified ✓
Ensure group root is the only GID 0 group
root-group-only-gid0 · RHEL ≥ 8 · 1 impl
Description
Only the root group should have GID 0. No other groups should be assigned this privileged group ID.
Rationale
Multiple groups with GID 0 could lead to confusion about permissions and unintended privilege escalation.
Check → Remediate
Checkcommand
# Find groups with GID 0 that are not root
gid0_groups=$(awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/group)
if [ -n "$gid0_groups" ]; then
echo "FAIL: Non-root groups with GID 0: $gid0_groups"
exit 1
fi
echo "OK: Only root group has GID 0"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Remove or reassign GID for groups with GID 0 that are not root
Framework references
CIS
rhel9 5.4.2.3rhel10 5.4.2.3rhel8 5.4.2.3
NIST 800-53
AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#root#gid#groups#privilege