← Rules Catalog
mediumfilesystemverified rollback-safe

Ensure local user initialization files have mode 0740 or less permissive

user-init-file-permissions · RHEL ≥ 8 · 1 impl

Description

All local interactive user initialization files (such as .bash_profile, .bashrc, .bash_logout) must have permissions of 0740 or more restrictive.

Rationale

User initialization files control the environment when a user logs in. If these files are world-writable, a local attacker could modify them to execute arbitrary code when the file owner logs in, enabling privilege escalation or persistent access.

Check → Remediate

Checkcommand
fail=0
# Check all local user init files (UID >= 1000)
while IFS=: read -r user _ uid _ _ home _; do
  if [ "$uid" -ge 1000 ] 2>/dev/null && [ -d "$home" ]; then
    for init_file in "$home"/.bash_profile "$home"/.bashrc "$home"/.bash_logout \
                     "$home"/.profile "$home"/.cshrc "$home"/.tcshrc; do
      if [ -f "$init_file" ]; then
        mode=$(stat -c '%a' "$init_file" 2>/dev/null)
        # Check if world-writable (bit 2 of "others" field)
        if [ -n "$mode" ] && [ "$((8#$mode & 2))" -ne 0 ]; then
          echo "FAIL: $init_file has world-writable mode $mode"
          fail=1
        fi
      fi
    done
  fi
done < /etc/passwd
if [ "$fail" -eq 0 ]; then
  echo "OK: All user initialization files have mode 0740 or more restrictive"
  exit 0
fi
exit 1
expected_exit:
0
Remediatefile_permissions
find_paths:
/home
find_type:
f
find_args:
-maxdepth 2 -name '.*' -perm /o+w
mode:
o-w

Framework references

STIG

V-257889 / RHEL-09-232045

NIST 800-53

AC-6CM-6

Live verification

rhel9:check
#permissions#user-accounts#initialization-files#hardening