1.1.21_sticky_bit_world_writable_folder: Check failed

[mohaa7]

Running the following script leads to the error "Check failed with unexpected exit code: 1".
Script: 1.1.21_sticky_bit_world_writable_folder.sh

If I run the following command, kinda inspired by the find snippet in the script:

root@Debian:~# find /dev /run / /dev/shm /run/lock /boot /run/user/1000 /media -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print`

then I get the following error:

find: ‘/run/user/1000/doc’: Permission denied
find: ‘/run/user/1000/gvfs’: Permission denied

Here is a related investigation: https://forums.debian.net/viewtopic.php?p=806684&sid=8661b51a8c76f9c3e9d4db6f841684cc#p806684

If I try to look at the directory "/run/user/1000/", then:

root@Debian:~# ls -lA /run/user/1000/ 1>/dev/null
ls: cannot access '/run/user/1000/doc': Permission denied
ls: cannot access '/run/user/1000/gvfs': Permission denied

VS

root@Debian:~# su --login "$(id -un 1000)" --command="ls -lA /run/user/1000/ 1>/dev/null"
(no error, indeed no output)

# mount | grep fuse:

fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

I added the ! -path "/run/user/1000/doc" ! -path "/run/user/1000/gvfs"to all find commands in the scrip, before 2>/dev/null:

e.g: RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) ! -path "/run/user/1000/doc" ! -path "/run/user/1000/gvfs" -print 2>/dev/null)

But I still get that error:

# ./1.1.21_sticky_bit_world_writable_folder.sh --audit
.1.21_sticky_bit_world_w [INFO] Working on 1.1.21_sticky_bit_world_writable_folder
1.1.21_sticky_bit_world_w [INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.
1.1.21_sticky_bit_world_w [INFO] Checking Configuration
1.1.21_sticky_bit_world_w [INFO] Performing audit
1.1.21_sticky_bit_world_w [INFO] Checking if setuid is set on world writable Directories
1.1.21_sticky_bit_world_w [ KO ] Check failed with unexpected exit code: 1

Note: My OS is a new installed Debian 12 (+Gnome Desktop); Just updated. Only git, vim and curl are installed additionally.

[mohaa7]

Output of running the script in debug mode (bash -x script.sh):

root@Debian:/opt/cis-hardening/bin/hardening# bash -x ./1.1.21_sticky_bit_world_writable_folder.sh --audit

+ set -e
+ set -u
+ HARDENING_LEVEL=2
+ DESCRIPTION='Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.'
+ EXCEPTIONS=
+ FIND_IGNORE_NOSUCHFILE_ERR=false
+ '[' -r /etc/default/cis-hardening ']'
+ . /etc/default/cis-hardening
++ CIS_LIB_DIR=/opt/cis-hardening/lib
++ CIS_CHECKS_DIR=/opt/cis-hardening/bin/hardening
++ CIS_CONF_DIR=/opt/cis-hardening/etc
++ CIS_TMP_DIR=/opt/cis-hardening/tmp
+ '[' -z /opt/cis-hardening/lib ']'
+ '[' -r /opt/cis-hardening/lib/main.sh ']'
+ . /opt/cis-hardening/lib/main.sh
+++ basename ./1.1.21_sticky_bit_world_writable_folder.sh
++ LONG_SCRIPT_NAME=1.1.21_sticky_bit_world_writable_folder.sh
++ SCRIPT_NAME=1.1.21_sticky_bit_world_writable_folder
++ CRITICAL_ERRORS_NUMBER=0
++ BATCH_MODE=0
++ BATCH_OUTPUT=
++ status=
++ forcedstatus=
++ SUDO_CMD=
++ SAVED_LOGLEVEL=
++ ACTIONS_DONE=0
++ '[' -n '' ']'
++ '[' -r /opt/cis-hardening/etc/hardening.cfg ']'
++ . /opt/cis-hardening/etc/hardening.cfg
+++ LOGLEVEL=info
+++ BACKUPDIR=/opt/cis-hardening/tmp/backups
++ '[' -n '' ']'
++ '[' -r /opt/cis-hardening/lib/common.sh ']'
++ . /opt/cis-hardening/lib/common.sh
+++ case $LOGLEVEL in
+++ MACHINE_LOG_LEVEL=4
++ '[' -r /opt/cis-hardening/lib/utils.sh ']'
++ . /opt/cis-hardening/lib/utils.sh
++ '[' -r /opt/cis-hardening/lib/constants.sh ']'
++ . /opt/cis-hardening/lib/constants.sh
+++ export LANG=C
+++ LANG=C
+++ NC='\033[0m'
+++ WHITE='\033[0m'
+++ RED='\033[0;31m'
+++ GREEN='\033[0;32m'
+++ YELLOW='\033[0;33m'
+++ GRAY='\033[0;40m'
+++ BRED='\033[1;31m'
+++ BGREEN='\033[1;32m'
+++ BYELLOW='\033[1;33m'
+++ BWHITE='\033[1;37m'
+++ CONTAINER_TYPE=
+++ IS_CONTAINER=0
++++ is_running_in_container docker
++++ awk -F/ '$2 == "docker"' /proc/self/cgroup
+++ '[' '' '!=' '' ']'
++++ is_running_in_container lxc
++++ awk -F/ '$2 == "lxc"' /proc/self/cgroup
+++ '[' '' '!=' '' ']'
++++ is_running_in_container kubepods
++++ awk -F/ '$2 == "kubepods"' /proc/self/cgroup
+++ '[' '' '!=' '' ']'
+++ get_distribution
+++ DISTRIBUTION=
+++ '[' -f /etc/os-release ']'
++++ grep '^ID=' /etc/os-release
++++ sed s/ID=//
++++ tr '[:upper:]' '[:lower:]'
+++ DISTRIBUTION=debian
+++ FNRET=0
+++ get_debian_major_version
+++ DEB_MAJ_VER=
+++ does_file_exist /etc/debian_version
+++ local FILE=/etc/debian_version
+++ '[' -e /etc/debian_version ']'
+++ FNRET=0
+++ '[' 0 = 0 ']'
+++ grep -q sid /etc/debian_version
++++ cut -d . -f1 /etc/debian_version
+++ DEB_MAJ_VER=12
+++ SMALLEST_SUPPORTED_DEBIAN_VERSION=10
+++ HIGHEST_SUPPORTED_DEBIAN_VERSION=12
++ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
++ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
++ [[ 0 -gt 0 ]]
++ info 'Working on 1.1.21_sticky_bit_world_writable_folder'
++ '[' 4 -ge 4 ']'
++ _logger '' '[INFO] Working on 1.1.21_sticky_bit_world_writable_folder'
++ COLOR=
++ shift
++ test -z 1.1.21_sticky_bit_world_writable_folder
++ builtin echo '[INFO] Working on 1.1.21_sticky_bit_world_writable_folder'
++ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
+++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
++ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
++ cecho '' '1.1.21_sticky_bit_world_w [INFO] Working on 1.1.21_sticky_bit_world_writable_folder'
++ COLOR=
++ shift
++ builtin echo -e '1.1.21_sticky_bit_world_w [INFO] Working on 1.1.21_sticky_bit_world_writable_folder\033[0m'
1.1.21_sticky_bit_world_w [INFO] Working on 1.1.21_sticky_bit_world_writable_folder
++ info '[DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.'
++ '[' 4 -ge 4 ']'
++ _logger '' '[INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.'
++ COLOR=
++ shift
++ test -z 1.1.21_sticky_bit_world_writable_folder
++ builtin echo '[INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.'
++ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
+++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
++ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
++ cecho '' '1.1.21_sticky_bit_world_w [INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.'
++ COLOR=
++ shift
++ builtin echo -e '1.1.21_sticky_bit_world_w [INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.\033[0m'
1.1.21_sticky_bit_world_w [INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.
++ '[' -r /opt/cis-hardening/etc/conf.d/1.1.21_sticky_bit_world_writable_folder.cfg ']'
++ '[' '' = createconfig ']'
++ '[' -r /opt/cis-hardening/etc/conf.d/1.1.21_sticky_bit_world_writable_folder.cfg ']'
++ . /opt/cis-hardening/etc/conf.d/1.1.21_sticky_bit_world_writable_folder.cfg
+++ status=enabled
++ '[' '' = auditall ']'
++ '[' '' = audit ']'
++ '[' -z enabled ']'
++ trap exception EXIT
++ case $status in
++ info 'Checking Configuration'
++ '[' 4 -ge 4 ']'
++ _logger '' '[INFO] Checking Configuration'
++ COLOR=
++ shift
++ test -z 1.1.21_sticky_bit_world_writable_folder
++ builtin echo '[INFO] Checking Configuration'
++ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
+++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
++ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
++ cecho '' '1.1.21_sticky_bit_world_w [INFO] Checking Configuration'
++ COLOR=
++ shift
++ builtin echo -e '1.1.21_sticky_bit_world_w [INFO] Checking Configuration\033[0m'
1.1.21_sticky_bit_world_w [INFO] Checking Configuration
++ check_config
++ :
++ info 'Performing audit'
++ '[' 4 -ge 4 ']'
++ _logger '' '[INFO] Performing audit'
++ COLOR=
++ shift
++ test -z 1.1.21_sticky_bit_world_writable_folder
++ builtin echo '[INFO] Performing audit'
++ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
+++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
++ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
++ cecho '' '1.1.21_sticky_bit_world_w [INFO] Performing audit'
++ COLOR=
++ shift
++ builtin echo -e '1.1.21_sticky_bit_world_w [INFO] Performing audit\033[0m'
1.1.21_sticky_bit_world_w [INFO] Performing audit
++ audit
++ info 'Checking if setuid is set on world writable Directories'
++ '[' 4 -ge 4 ']'
++ _logger '' '[INFO] Checking if setuid is set on world writable Directories'
++ COLOR=
++ shift
++ test -z 1.1.21_sticky_bit_world_writable_folder
++ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
++ builtin echo '[INFO] Checking if setuid is set on world writable Directories'
+++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
++ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
++ cecho '' '1.1.21_sticky_bit_world_w [INFO] Checking if setuid is set on world writable Directories'
++ COLOR=
++ shift
++ builtin echo -e '1.1.21_sticky_bit_world_w [INFO] Checking if setuid is set on world writable Directories\033[0m'
1.1.21_sticky_bit_world_w [INFO] Checking if setuid is set on world writable Directories
++ '[' -n '' ']'
+++ df --local -P
+++ awk '{if (NR!=1) print $6}'
++ FS_NAMES='/dev
/run
/
/dev/shm
/run/lock
/boot
/run/user/1000
/media'
++ '[' false = true ']'
+++ find /dev /run / /dev/shm /run/lock /boot /run/user/1000 /media -xdev -ignore_readdir_race -type d '(' -perm -0002 -a '!' -perm -1000 ')' -print
++ RESULT=
+ exception
+ TRAP_CODE=1
+ '[' 0 -ne 1 ']'
+ '[' 0 -eq 1 ']'
+ crit 'Check failed with unexpected exit code: 1'
+ '[' 0 -eq 1 ']'
+ '[' 4 -ge 1 ']'
+ _logger '\033[1;31m' '[ KO ] Check failed with unexpected exit code: 1'
+ COLOR='\033[1;31m'
+ shift
+ test -z 1.1.21_sticky_bit_world_writable_folder
+ /usr/bin/logger -t 'CIS_Hardening[137330] 1.1.21_sticky_bit_world_writable_folder' -p user.info
+ builtin echo '[ KO ] Check failed with unexpected exit code: 1'
++ printf %-25.25s 1.1.21_sticky_bit_world_writable_folder
+ SCRIPT_NAME_FIXEDLEN=1.1.21_sticky_bit_world_w
+ cecho '\033[1;31m' '1.1.21_sticky_bit_world_w [ KO ] Check failed with unexpected exit code: 1'
+ COLOR='\033[1;31m'
+ shift
+ builtin echo -e '\033[1;31m1.1.21_sticky_bit_world_w [ KO ] Check failed with unexpected exit code: 1\033[0m'
1.1.21_sticky_bit_world_w [ KO ] Check failed with unexpected exit code: 1
+ CRITICAL_ERRORS_NUMBER=1
+ exit 1