We help IT Professionals succeed at work.

world/group writable files: can we 'chmod g-w & o-w' on them?

sunhux
sunhux asked
on
High Priority
140 Views
Last Modified: 2019-11-18
During hardening, found the following group or world writable files.
Any harm if I do  'chmod g-w  or o-w'  on them:

rw-rw-r--. 1 root utmp 1920 Nov 15 15:26 /run/utmp
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/member
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/user
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/relabel
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/create
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/access
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/context
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/blkio/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/mesos/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/mesos_executors.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/user.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 15 15:27 /sys/fs/cgroup/blkio/system.slice/run-user-0.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 22:19 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-bf894f72eb2faf348d9cf074a3fbbe5ab378ff95ddb4e3d5759eb7e144b4285f-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 22:19 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 22:19 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-fb501e0b0651.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 10:25 /sys/fs/cgroup/blkio/system.slice/var-log-audit.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 10:14 /sys/fs/cgroup/blkio/system.slice/var-log.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 10:10 /sys/fs/cgroup/blkio/system.slice/var-tmp.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-b0c9440d4be8.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-424d15fc77428fdfc1b84bbe8caf2c4cfa19ba9a4229c1e8e9830319a5e7f224-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-default.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-feb6469a62dc.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-2851cdc4c6fa.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-33d6d62a68881783e039d3bf4d9c07d6a958795b163113de53e7a1e8409fa10c-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-18f4b1674dddad9fe2c6a395be33a5cdbb52898ff5e1fccac003724031526327-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-4c058e10aeff153db2e8c81dd8812cf739ead0a5113c95c6f2c8acec0792577b-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/run-docker-netns-94af6ef640b5.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-containers-0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d-shm.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2-8e227b8c5cd63b9350aea6492a1fcb8e4b7a692b8145511668c1e5285ff988aa-merged.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/dcos-diagnostics.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/dcos-telegraf.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/dcos-adminrouter-agent.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/system.slice/dcos-mesos-slave.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:04 /sys/fs/cgroup/blkio/system.slice/dcos-net.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:04 /sys/fs/cgroup/blkio/system.slice/dcos-log-agent.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:48 /sys/fs/cgroup/blkio/system.slice/ntpd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:48 /sys/fs/cgroup/blkio/system.slice/kdump.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:48 /sys/fs/cgroup/blkio/system.slice/dcos-net-watchdog.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/docker-telemetry.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-overlay2.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/var-lib-docker-plugins.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-user-sessions.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/crond.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/filebeat.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhnsd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rpc-statd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/network.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/docker.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/efs.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rsyslog.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/tuned.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/sshd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhsmcertd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/NetworkManager-wait-online.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhel-dmesg.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/vmtoolsd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/gssproxy.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/polkit.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/irqbalance.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dcos-checks-api.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/NetworkManager.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dbus.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-logind.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/vgauthd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dcos-pkgpanda-api.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dcos-rexray.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-update-utmp.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rpcbind.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/var-lib-nfs-rpc_pipefs.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/auditd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhel-import-state.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-random-seed.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-journal-flush.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-disk-by\x2did-dm\x2dname\x2drhel\x2dswap.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-rhel-swap.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-dm\x2d1.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-disk-by\x2did-dm\x2duuid\x2dLVM\x2dudo1d1CJlDpTqRF61Z2fz7TxlvA7LQcf81PF0QcBTwZTjel1ET6mQmjAWmVgYCay.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-disk-by\x2duuid-8a74413a\x2daf45\x2d49bb\x2da4a0\x2d1e3483484f65.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/home.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/var.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/tmp.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-mapper-rhel\x2dswap.swap/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/lvm2-monitor.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/boot.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-udev-trigger.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-udevd.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhel-readonly.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-remount-fs.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/kmod-static-nodes.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-sysctl.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/rhel-domainname.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/lvm2-lvmetad.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/-.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/sys-kernel-config.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-fsck-root.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-vconsole-setup.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/system-getty.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-mqueue.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/sys-kernel-debug.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/dev-hugepages.mount/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/systemd-journald.service/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/system.slice/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/blkio/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/hugetlb/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/hugetlb/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/docker/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/hugetlb/mesos/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 20:47 /sys/fs/cgroup/hugetlb/cgroup.event_control
Comment
Watch Question

Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Note: If you touch any of this, you will break whatever you touch beyond all function.

Hardening scripts tend to be either completely brain dead or how no clue about slightly odd code running on a system.

In other words, it appears your script simply has no clue about all the above filesystems.

All the above filesystems permissions must remain exactly as they're defined, if you expect all related code to function properly.

This likely means you'll create a Site Policy per your script's docs to whitelist all these filesystems as acceptable exceptions.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
/sys is handled by the kernel DIRECTLY (it's a visual representation of internal kernel structures). Those special filesystem drivers often implement their own access control checks where the access bits either have a different meaning (see man pages or other documentation on them) have no meaning or may have the original meaning.
it is NOT a regular filesystem, it is handled by sysfs, (other special ones or with special meaning: /dev (devtmpfs), /dev/pts (devpts), /proc (proc),  /sys/fs/cgroup (cgroup),  /sys/fs/selinux (selinuxfs), /sys/fs/fuse/connections (fusectl), /sys/firmware/efi/efivars (efivars), /proc/sys/fs/binfmt_misc (binfmt_misc), /dev/shm (tmpfs), /sys/kernel/debugfs (debugfs), /dev/mqueue (mqueue))

Be careful with those.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Please note any system hardenening, network hardening, firewall recommendations are just that recommendation. These are not things set I. Stone where you have to follow each suggestion.

All these recomendations are based on best practices, but the listing of /sys in this examp,e suggests that the hardening tool you are using is not specific to the environment you have.

As others pointed out, root user and root group are the owner,group on these files. Removing the world access would mean only root user or root group member could use the system.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.