mediumfilesystemverified ✓rollback-safe
Ensure local user initialization files have mode 0740 or less permissive
user-init-file-permissions · RHEL ≥ 8 · 1 impl
Description
All local interactive user initialization files (such as .bash_profile, .bashrc, .bash_logout) must have permissions of 0740 or more restrictive.
Rationale
User initialization files control the environment when a user logs in. If these files are world-writable, a local attacker could modify them to execute arbitrary code when the file owner logs in, enabling privilege escalation or persistent access.
Check → Remediate
Checkcommand
fail=0
# Check all local user init files (UID >= 1000)
while IFS=: read -r user _ uid _ _ home _; do
if [ "$uid" -ge 1000 ] 2>/dev/null && [ -d "$home" ]; then
for init_file in "$home"/.bash_profile "$home"/.bashrc "$home"/.bash_logout \
"$home"/.profile "$home"/.cshrc "$home"/.tcshrc; do
if [ -f "$init_file" ]; then
mode=$(stat -c '%a' "$init_file" 2>/dev/null)
# Check if world-writable (bit 2 of "others" field)
if [ -n "$mode" ] && [ "$((8#$mode & 2))" -ne 0 ]; then
echo "FAIL: $init_file has world-writable mode $mode"
fail=1
fi
fi
done
fi
done < /etc/passwd
if [ "$fail" -eq 0 ]; then
echo "OK: All user initialization files have mode 0740 or more restrictive"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /home
- find_type:
- f
- find_args:
- -maxdepth 2 -name '.*' -perm /o+w
- mode:
- o-w
Framework references
STIG
V-257889 / RHEL-09-232045
NIST 800-53
AC-6CM-6
Live verification
rhel9:check
#permissions#user-accounts#initialization-files#hardening