Title

SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. (Cat II impact)

Discussion

The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Check Content

Verify that SUSE operating system file systems that contain user home directories are mounted with the "nosuid" option. Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command: > for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r /home /dev/mapper/system-home ext4 rw,nosuid,relatime,data=ordered If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.

Fix Text

Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. Re-mount the filesystems. > sudo mount -o remount /home

Additional Identifiers

Rule ID: SV-234998r622137_rule

Vulnerability ID: V-234998

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.