OpenControls Logo

STIG Viewer

NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-268181ANIX-00-002180SV-268181r1039431_ruleCCI-000366medium
Description
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
STIGDate
Anduril NixOS Security Technical Implementation Guide2024-10-25

Details

Check Text (C-268181r1039431_chk)

Verify the NixOS operating system to change default file permissions so users may only modify their own files. Ensure the following settings are present in the /etc/nixos/configuration.nix file: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; If the above configurations are not present in the configuration.nix file, this is a finding.

Fix Text (F-72008r1039430_fix)

Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch