Other Articles
- Servers – Disable UDF Filesystem
- Servers – Configure /tmp Partition
- Servers – Configure /home Partition
- Servers – Configure /var Partition
- Servers – Configure Shm Partition
- Servers – Enable dm-verity
- Servers – Enforce Authentication for Single User Mode
- Servers – Restrict Core Dump Generation
- Servers – Enable NX Protection
- Servers – Enable Address Space Layout Randomization (ASLR)
- Servers – Configure Message of the Day (MOTD)
- Servers – Configure Local Login Banner
- Servers – Configure Remote Login Banner
- Servers – Configure Message of the Day (MOTD) Permissions
- Servers – Configure Issue Permissions
- Servers – Configure Password Permissions
- Servers – Configure Group Backup Permissions
- Servers – Configure Group Permissions
- Servers – Configure Gshadow Backup Permissions
- Servers – Configure Gshadow Permissions
- Servers – Configure Passwd Backup Permissions
- Servers – Configure Shadow Backup Permissions
- Servers – Configure Shadow Permissions
- Servers – Ensure All Users' Home Directories Exist
- Servers – Ensure No Users Have .forward Files
- Servers – Ensure No Users Have .netrc Files
- Servers – Ensure No Users Have .rhosts Files
- Servers – Ensure Root is the Only UID 0 Account
- Servers – Ensure Root PATH Integrity
- Servers – Remove Legacy '+' Entries from Group
- Servers – Remove Legacy '+' Entries from Passwd
- Servers – Remove Legacy '+' Entries from Shadow
- Servers – Restrict Access to .netrc Files
- Servers – Secure System Accounts
- Servers – Ensure Users Own Their Home Directories
- Servers – Verify Security Of Dot Files
- Servers – Verify Existence of passwd Groups
- Servers – Ensure No Duplicate UIDs Exist
- Servers – Ensure No Duplicate GIDs Exist
- Servers – Ensure No Duplicate User Names Exist
- Servers – Ensure No Duplicate Group Names Exist
- Servers – Ensure Shadow Group Has No Members
- Servers – Ensure Logging is Configured
- Servers – Ensure Journald Compression is Configured
- Servers – Ensure Journald Storage is Configured to Persistent Disk
- Servers – Ensure Permissions on All Logfiles are Configured
- Servers – Verify Time Synchronization with Chrony
- Servers – Ensure Chrony is Configured
- Servers – Ensure X Window System is Not Installed
- Servers – Ensure NFS and RPC Services are Disabled
- Servers – Ensure Rsync Service is Disabled
- Servers – Ensure TCP SYN Cookies is Enabled
- Servers – Ensure IPv6 Default Deny Firewall Policy
- Servers – Ensure IPv6 Loopback Traffic is Configured
- Servers – Ensure IPv6 Outbound and Established Connections are Configured
- Servers – Verify IPv6 Open Ports Rules
- Servers – Ensure Default Deny Firewall Policy is Configured
- Servers – Ensure Loopback Traffic is Configured
- Servers – Ensure Outbound and Established Connections are Configured
- Servers – Ensure Iptables is Installed
- Servers – Ensure Packet Redirect Sending is Disabled
- Servers – Ensure Source Routed Packets are Not Accepted
- Servers – Ensure ICMP Redirects are Not Accepted
- Servers – Ensure Secure ICMP Redirects are Disabled
- Servers – Ensure Suspicious Packets Logging is Enabled
- Servers – Ensure Broadcast ICMP Requests are Ignored
- Servers – Ensure Bogus ICMP Responses are Ignored
- Servers – Ensure Reverse Path Filtering is Enabled
- Servers – Ensure Absence of IPv6 Router Advertisements
- Servers – Ensure SSH SSHD Config Permissions Are Configured
- Servers – Ensure SSH Private Host Key Permissions
- Servers – Ensure SSH Public Host Key Permissions Are Configured
- Servers – Ensure SSH Protocol is Set to 2
- Servers – Ensure SSH LogLevel is Appropriate
- Servers – Ensure SSH X11 Forwarding is Disabled
- Servers – Ensure SSH MaxAuthTries is Set to 4 or Less
- Servers – Ensure SSH IgnoreRhosts is Enabled
- Servers – Ensure SSH HostbasedAuthentication is Disabled
- Servers – Disable SSH Root Login
- Servers – Ensure SSH PermitEmptyPasswords is Disabled
- Servers – Verify SSH Strong Ciphers Strength
- Servers – Verify SSH Strong MAC Algorithms
- Servers – Verify SSH Strong Key Exchange Algorithms
- Servers – Ensure SSH Idle Timeout Interval is Configured
- Servers – Ensure SSH Login Grace Time is Configured
- Servers – Configure SSH Warning Banner
- Servers – Enable SSH PAM Authentication
- Servers – Disable SSH AllowTcpForwarding
- Servers – Configure SSH MaxStartups
- Servers – Verify SSH MaxSessions Configuration
- Servers – Ensure Password Creation Requirements are Configured
- Servers – Ensure Password Reuse is Limited
- Servers – Ensure Password Hashing Algorithm is SHA-512
- Servers – Ensure Password Expiration Days is 365 or Less
- Servers – Ensure Minimum Days Between Password Changes is 7 or More
- Servers – Ensure Password Expiration Warning Days is 7 or More
- Servers – Ensure Inactive Password Lock is 30 Days or Less
- Servers – Ensure All Users Last Password Change Date is in the Past
- Servers – Ensure System Accounts Are Secured
- Servers – Ensure Default Group for Root Account is GID 0
- Servers – Verify Default User Umask
- Servers – Ensure Default User Shell Timeout is 900 Seconds or Less
- Servers – Ensure Root Login is Restricted to System Console
- Servers – Ensure Access to su Command is Restricted
Servers – Ensure Users' Home Directory Permissions are 750 or More Restrictive
Support > Fixing Checks > Server
06 March, 2026
This check ensures that users' home directories have permissions set to 750 or more restrictive.
Improper permissions on user home directories may allow other users on the system to read, modify, or execute files that belong to another user.
Check Details
- Resource: Server
- Check: Verify Home Dirs 750
- Risk: Group or world-writable user home directories may allow malicious users to read or modify another user's files and potentially gain elevated privileges.
Remediation Steps
- Open a terminal session on the server with root or sudo privileges.
-
Run the following script to identify user home directories with insecure permissions.
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | \ awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | \ while read -r user dir; do if [ ! -d "$dir" ]; then echo "The home directory ($dir) of user $user does not exist." else dirperm=$(ls -ld "$dir" | cut -f1 -d" ") if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then echo "Group Write permission set on the home directory ($dir) of user $user" fi if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then echo "Other Read permission set on the home directory ($dir) of user $user" fi if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then echo "Other Write permission set on the home directory ($dir) of user $user" fi if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then echo "Other Execute permission set on the home directory ($dir) of user $user" fi fi done -
If any home directories have insecure permissions, update the permissions to 750 or a more restrictive value.
sudo chmod 750 /home/<username>
Note: Changes to user home directory permissions should be reviewed with users or administrators to prevent unexpected access issues.