2.17 Set Sticky Bit on All World-Writable Directories

Information

Setting the sticky bit on world writable directories prevents users from deleting or
renaming files in that directory that are not owned by them.

*Rationale*

This feature prevents the ability to delete or rename files in world writable directories
(such as /tmp) that are owned by another user.

Solution

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d
-perm -0002 2>/dev/null | xargs chmod a+t

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: bd5ea1c40c95b3b7922ec3ab09f08b88fe02aacd74f160bad92bb40321614e87