Skip to content

6.2.12 Ensure local interactive users own their home directories

Audit#

Run the following script to verify local interactive users own their home directories: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#!/usr/bin/env bash

{
 output=""
 valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
 owner="$(stat -L -c "%U" "$home")"
 [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\""
 done
 if [ -z "$output" ]; then
 echo -e "\n-PASSED: - All local interactive users have a home directory\n"
 else
 echo -e "\n- FAILED:\n$output\n"
 fi
 )
}

Remediation#

Change the ownership of any home directories that are not owned by the defined user to the correct user.

The following script will update local interactive user home directories to be own by the user: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
#!/usr/bin/env bash

{
 output=""
 valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
 owner="$(stat -L -c "%U" "$home")"
 if [ "$owner" != "$user" ]; then
 echo -e "\n- User \"$user\" home directory \"$home\" is owned by user \"$owner\"\n - changing ownership to \"$user\"\n"
 chown "$user" "$home"
 fi
 done
}