#!/usr/bin/env bash{output=""perm_mask='0022'maxperm="$(printf'%o'$((0777&~$perm_mask)))"valid_shells="^($(sed-rn'/^\//{s,/,\\\\/,g;p}'/etc/shells|paste-s-d'|'-))$"awk-vpat="$valid_shells"-F:'$(NF) ~ pat { print $1 " " $(NF-1) }'/etc/passwd|(whileread-ruserhome;dofordfilein$(find"$home"-typef-name'.*');domode=$(stat-L-c'%#a'"$dfile")[$(($mode&$perm_mask))-gt0]&&output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"donedoneif[-n"$output"];thenecho-e"\n- Failed:$output"elseecho-e"\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"fi)}
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site policy.
The following script will remove excessive permissions on dot files within interactive users' home directories.
#!/usr/bin/env bash{perm_mask='0022'valid_shells="^($(sed-rn'/^\//{s,/,\\\\/,g;p}'/etc/shells|paste-s-d'|'-))$"awk-vpat="$valid_shells"-F:'$(NF) ~ pat { print $1 " " $(NF-1) }'/etc/passwd|whileread-ruserhome;dofind"$home"-typef-name'.*'|whileread-rdfile;domode=$(stat-L-c'%#a'"$dfile")if[$(($mode&$perm_mask))-gt0];thenecho-e"\n- Modifying User \"$user\" file: \"$dfile\"\nremoving group and other write permissions"chmodgo-w"$dfile"fidonedone}