Rule ID
SV-217174r1190812_rule
Version
V3R5
CCIs
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.
Verify the assigned home directory of all SUSE operating system local interactive users is group-owned by that user's primary GID.
Check the home directory assignment for all nonprivileged users on the system with the following command:
Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/dosuser" is used as an example.
# awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd
250 /home/dosuser
Check the user's primary group with the following command:
# grep users /etc/group
users:x:250:dosuser,doduser,nsauser
If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "dosuser", who has a home directory of "/home/dosuser", and has a primary group of users. # chgrp users /home/dosuser