All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!


Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:

$ sudo chmod 0750 /home/USER


Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.


Shell script

The following script can be run on the host to remediate the issue.


for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534 && $6 != "/") print $6 }' /etc/passwd); do
    # Only update the permissions when necessary. This will avoid changing the inode timestamp when
    # the permission is already defined as expected, therefore not impacting in possible integrity
    # check systems that also check inodes timestamps.
    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Get all local users from /etc/passwd
    database: passwd
    split: ':'
  - file_permissions_home_directories
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Create local_users variable from the getent output
    local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
  - file_permissions_home_directories
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Test for existence home directories to avoid creating them.
    path: '{{ item.value[4] }}'
  register: path_exists
  loop: '{{ local_users }}'
  - item.value[1]|int >= 1000
  - item.value[1]|int != 65534
  - item.value[4] != "/"
  - file_permissions_home_directories
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure interactive local users have proper permissions on their respective
    home directories
    path: '{{ item.0.value[4] }}'
    mode: u-s,g-w-s,o=-
    follow: false
    recurse: false
  loop: '{{ local_users|zip(path_exists.results)|list }}'
  when: item.1.stat is defined and item.1.stat.exists
  - file_permissions_home_directories
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
PREVIEWING: dgreen15/github-error-fix