← Rules Catalog
mediumfilesystemunverifiedrollback-safe

Ensure world-writable directories are group-owned by a system account

world-writable-dirs-group-owned · RHEL ≥ 8 · 1 impl

Description

All world-writable directories must be group-owned by root, sys, bin, or an application group to prevent unauthorized file creation and manipulation.

Rationale

A world-writable directory group-owned by a non-system group can be exploited by members of that group for privilege escalation or denial-of-service, and weakens the accountability the sticky bit provides.

Check → Remediate

Checkcommand
# World-writable directories group-owned by a non-system group (GID > 999)
result=$(find / -xdev -type d -perm -0002 -gid +999 -print 2>/dev/null || true)
if [ -n "$result" ]; then
  echo "FAIL: World-writable directories group-owned by non-system groups:"
  echo "$result"
  exit 1
fi
echo "OK: All world-writable directories are group-owned by system accounts"
exit 0
expected_exit:
0
Remediatefile_permissions
find_paths:
/
find_type:
d
find_args:
-xdev -perm -0002 -gid +999
group:
root

Framework references

STIG

V-230319 / RHEL-08-010710

NIST 800-53

CM-6AC-6
#filesystem#permissions#world-writable#ownership#stig