Profile Applicability:
Level 1
Description:
World writable files and directories allow any user to modify or write to them, which can lead to unauthorized data modification, privilege escalation, or system compromise.
Rationale:
Securing world writable files and directories reduces the risk of unauthorized access or malicious changes, helping maintain system integrity.
Impact:
Pros:
Protects critical system and user files from unauthorized modifications.
Mitigates risk of privilege escalation via writable files.
Cons:
Restrictive permissions may impact legitimate multi-user workflows if not managed properly.
Default Value:
World writable files and directories may exist due to default application configurations or misconfigurations.
Pre-requisites:
Root or sudo privileges to audit and modify file permissions.
Remediation:
Test Plan:
Using Linux command line:
Find all world writable files:
find / -xdev -type f -perm -0002 -print
Find all world writable directories:
find / -xdev -type d -perm -0002 -print
Review and verify the necessity of these permissions.
Implementation Plan:
Using Linux command line:
Remove world writable permission from files/directories where not needed:
chmod o-w /path/to/file_or_directory
For directories requiring sticky bit (e.g., /tmp), ensure sticky bit is set:
chmod +t /path/to/directory
Document changes and monitor permissions regularly.
Backout Plan:
Using Linux command line:
Restore previous permissions from backups if needed.
Communicate with users if permission changes impact functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0