mediumfilesystemunverifiedrollback-safe
Ensure world-writable directories are group-owned by a system account
world-writable-dirs-group-owned · RHEL ≥ 8 · 1 impl
Description
All world-writable directories must be group-owned by root, sys, bin, or an application group to prevent unauthorized file creation and manipulation.
Rationale
A world-writable directory group-owned by a non-system group can be exploited by members of that group for privilege escalation or denial-of-service, and weakens the accountability the sticky bit provides.
Check → Remediate
Checkcommand
# World-writable directories group-owned by a non-system group (GID > 999) result=$(find / -xdev -type d -perm -0002 -gid +999 -print 2>/dev/null || true) if [ -n "$result" ]; then echo "FAIL: World-writable directories group-owned by non-system groups:" echo "$result" exit 1 fi echo "OK: All world-writable directories are group-owned by system accounts" exit 0
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /
- find_type:
- d
- find_args:
- -xdev -perm -0002 -gid +999
- group:
- root
Framework references
STIG
V-230319 / RHEL-08-010710
NIST 800-53
CM-6AC-6
#filesystem#permissions#world-writable#ownership#stig