{"description": "When the so-called 'sticky bit' is set on a directory, only the owner of a given file may\nremove that file from the directory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky bit prevents users from\nremoving each other's files. In cases where there is no reason for a directory to be\nworld-writable, a better solution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application, consult that application's\ndocumentation instead of blindly changing modes.\n<br />\nTo set the sticky bit on a world-writable directory <i>DIR</i>, run the following command:\n<pre>$ sudo chmod +t <i>DIR</i></pre>", "rationale": "Failing to set the sticky bit on public directories allows unauthorized users to delete files\nin the directory structure.\n<br /><br />\nThe only authorized public directories are those temporary directories supplied with the\nsystem, or those designed to be temporary file repositories. The setting is normally reserved\nfor directories used by the system, by users for temporary file storage (such as <tt>/tmp</tt>),\nand for directories requiring global read/write access.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "srg": ["SRG-OS-000138-GPOS-00069"], "anssi": ["R54"], "ism": ["1409"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-232145"], "stigref": ["SV-260513r958524_rule"]}, "control_references": {"anssi": ["R54"], "ism": ["1409"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-232145"]}, "components": [], "identifiers": {}, "ocil_clause": "any world-writable directories are missing the sticky bit", "ocil": "To find world-writable directories that lack the sticky bit, run the following command:\n<pre>$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null</pre>\nfixtext: |-\nConfigure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.\n\nSet the sticky bit on all world-writable directories using the command, replace \"[World-Writable Directory]\" with any directory path missing the sticky bit:\n\n$ chmod a+t [World-Writable Directory]\nsrg_requirement:\nA sticky bit must be set on all Ubuntu 22.04 public directories to prevent unauthorized and unintended information transferred via shared system resources.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule can take a long time to perform the check and might consume a considerable\namount of resources depending on the number of directories present on the system. It is\nnot a problem in most cases, but especially systems with a large number of directories can\nbe affected. See <code>https://access.redhat.com/articles/6999111</code>."}, {"general": "Please note that there might be cases where the rule remediation cannot fix directory permissions.\nThis can happen for example when running on a system with some immutable parts.\nThese immutable parts cannot be remediated because they are read-only.\nExample of such directories can be OStree deployments located at <tt>/sysroot/ostree/deploy</tt>.\nIn such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "A sticky bit must be set on all Ubuntu 22.04 public directories.", "vuldiscussion": "Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.", "checktext": "Verify that all world-writable directories have the sticky bit set.\n\nDetermine if all world-writable directories have the sticky bit set by running the following command:\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2&gt;/dev/null\n\ndrwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.", "fixtext": "Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.\n\nSet the sticky bit on all world-writable directories using the command, replace \"[World-Writable Directory]\" with any directory path missing the sticky bit:\n\n$ chmod a+t [World-Writable Directory]"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that All World-Writable Directories Have Sticky Bits Set", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml", "template": null}