Rule Check: Home Directory Has No setuid Files
The Home Directory Has No setuid Files check searches the home directory of the specified user or users to verify that the
setuid bit of all files in the directory is cleared. The check fails for any specified user whose home directory contains one or more files whose
setuid bit is set.
(A file whose
setuid bit is set may allow users to execute it with temporarily elevated privileges, and therefore could be a favored target of an attacker.)
The check is indeterminate for any user whose account does not exist, or who has no defined home directory, or whose defined home directory does not actually exist.
Note: The search is recursive, including all subdirectories of the home directory. All files, including device files and fifos, are checked. Symlinks are examined for ownership but their targets are not examined. Information is returned only on files that fail the check, and only on the first 1000 failures in each home directory.
The list of names to check. This is a single account name, or a comma-delimited list of account names (maximum length = 255 characters), or the keyword ALL (must be capitalized - "all" is treated as a username). The UID cannot be used. Wildcards are not supported. Extra spaces are ignored. All usernames are case-sensitive.
Use the NOT operator to specify that all users except the specified ones should be checked.
Some valid examples are:
Some examples that will not work:
|Remedial Suggestion (optional)||