mediumaccess-controlunverified
Ensure local interactive user init files have mode 0740 or less permissive
user-init-files-mode-0740 · RHEL ≥ 8 · 1 impl
Description
All local interactive user initialization files (.bashrc, .bash_profile, .bash_logout, .profile, .cshrc, .tcshrc, .login, .kshrc) must have mode 0740 or more restrictive — no group write/execute and no access for others.
Rationale
A user initialization file that is group- or world-writable (or executable by others) can be altered to run attacker-controlled commands when the owner logs in, enabling privilege escalation or persistence.
Check → Remediate
Checkcommand
fail=0
while IFS=: read -r user _ uid _ _ home shell; do
[ "$uid" -ge 1000 ] 2>/dev/null || continue
[ "$uid" -lt 65534 ] 2>/dev/null || continue # exclude nobody (home=/)
case "$shell" in */nologin|*/false|"") continue ;; esac
[ -d "$home" ] || continue
for f in "$home"/.bashrc "$home"/.bash_profile "$home"/.bash_logout \
"$home"/.profile "$home"/.cshrc "$home"/.tcshrc \
"$home"/.login "$home"/.kshrc; do
[ -f "$f" ] || continue
mode=$(stat -c '%a' "$f" 2>/dev/null)
[ -n "$mode" ] || continue
# More permissive than 0740 == any of group-w/x or any other bit set.
if [ "$(( 0$mode & 037 ))" -ne 0 ]; then
echo "FAIL: $f has mode $mode (must be 0740 or less permissive)"
fail=1
fi
done
done < /etc/passwd
if [ "$fail" -eq 0 ]; then
echo "OK: all user init files are mode 0740 or more restrictive"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /home
- find_type:
- f
- find_args:
- -maxdepth 2 \( -name '.bashrc' -o -name '.bash_profile' -o -name '.bash_logout' -o -name '.profile' -o -name '.cshrc' -o -name '.tcshrc' -o -name '.login' -o -name '.kshrc' \) -perm /037
- mode:
- 0740
Framework references
STIG
V-281064 / RHEL-10-400235V-230325 / RHEL-08-010770
NIST 800-53
CM-6AC-6
#permissions#user-accounts#initialization-files#hardening#stig