1+ < h2 > Why is this an issue?</ h2 >
12< p > In Unix file system permissions, the "< code > others</ code > " category refers to all users except the owner of the file system resource and the
23members of the group assigned to this resource.</ p >
34< p > Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
45information, disrupt services or elevate privileges.</ p >
5- < h2 > Ask Yourself Whether</ h2 >
6- < ul >
7- < li > The application is designed to be run on a multi-user environment.</ li >
8- < li > Corresponding files and directories may contain confidential information.</ li >
9- </ ul >
10- < p > There is a risk if you answered yes to any of those questions.</ p >
11- < h2 > Recommended Secure Coding Practices</ h2 >
12- < p > The most restrictive possible permissions should be assigned to files and directories.</ p >
13- < h2 > Sensitive Code Example</ h2 >
6+ < h3 > What is the potential impact?</ h3 >
7+ < h4 > Unauthorized access to sensitive information</ h4 >
8+ < p > When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models),
9+ attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords,
10+ personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive
11+ disadvantage.</ p >
12+ < h4 > Service disruption and data corruption</ h4 >
13+ < p > Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or
14+ compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete
15+ important resources, leading to service outages, system instability, data loss, and denial of service.</ p >
16+ < h4 > Privilege escalation</ h4 >
17+ < p > When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to
18+ execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious
19+ code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling
20+ them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.</ p >
21+ < h2 > How to fix it</ h2 >
22+ < p > Remove permissions for the "others" category by not adding OTHERS_READ, OTHERS_WRITE, or OTHERS_EXECUTE permissions to the permission set. If these
23+ permissions were previously added, explicitly remove them using the < code > remove()</ code > method.</ p >
24+ < h3 > Code examples</ h3 >
25+ < h4 > Noncompliant code example</ h4 >
1426< pre data-diff-id ="1 " data-diff-type ="noncompliant ">
1527 public void setPermissions(String filePath) throws IOException {
1628 Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
@@ -22,20 +34,14 @@ <h2>Sensitive Code Example</h2>
2234 perms.add(PosixFilePermission.GROUP_READ);
2335 perms.add(PosixFilePermission.GROUP_EXECUTE);
2436 // others permissions
25- perms.add(PosixFilePermission.OTHERS_READ); // Sensitive
26- perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive
27- perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive
37+ perms.add(PosixFilePermission.OTHERS_READ); // Noncompliant
38+ perms.add(PosixFilePermission.OTHERS_WRITE); // Noncompliant
39+ perms.add(PosixFilePermission.OTHERS_EXECUTE); // Noncompliant
2840
2941 Files.setPosixFilePermissions(Paths.get(filePath), perms);
3042 }
3143</ pre >
32- < pre data-diff-id ="2 " data-diff-type ="noncompliant ">
33- public void setOthersPermissionsHardCoded(String filePath ) {
34- Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
35- }
36- </ pre >
37- < h2 > Compliant Solution</ h2 >
38- < p > On operating systems that implement POSIX standard. This will throw a < code > UnsupportedOperationException</ code > on Windows.</ p >
44+ < h4 > Compliant solution</ h4 >
3945< pre data-diff-id ="1 " data-diff-type ="compliant ">
4046 public void setPermissions(String filePath) throws IOException {
4147 Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
@@ -54,26 +60,23 @@ <h2>Compliant Solution</h2>
5460 Files.setPosixFilePermissions(Paths.get(filePath), perms);
5561 }
5662</ pre >
57- < pre data-diff-id ="2 " data-diff-type ="compliant ">
58- public void setOthersPermissionsHardCoded(String filePath ) {
59- Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwx---"));
60- }
61- </ pre >
62- < h2 > See</ h2 >
63+ < h2 > Resources</ h2 >
64+ < h3 > Documentation</ h3 >
65+ < ul >
66+ < li > OWASP File Permission Testing Guide - < a
67+ href ="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission "> OWASP guidance on testing file permissions in web applications</ a > </ li >
68+ </ ul >
69+ < h3 > Standards</ h3 >
6370< ul >
64- < li > OWASP - < a href ="https://owasp.org/Top10/A01_2021-Broken_Access_Control/ "> Top 10 2021 Category A1 - Broken Access Control</ a > </ li >
65- < li > OWASP - < a href ="https://owasp.org/Top10/A04_2021-Insecure_Design/ "> Top 10 2021 Category A4 - Insecure Design</ a > </ li >
66- < li > OWASP - < a href ="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control "> Top 10 2017 Category A5 - Broken Access
67- Control</ a > </ li >
68- < li > < a
69- href ="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission "> OWASP File Permission</ a > </ li >
70- < li > CWE - < a href ="https://cwe.mitre.org/data/definitions/732 "> CWE-732 - Incorrect Permission Assignment for Critical Resource</ a > </ li >
7171 < li > CWE - < a href ="https://cwe.mitre.org/data/definitions/266 "> CWE-266 - Incorrect Privilege Assignment</ a > </ li >
72- < li > < a href ="https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions "> CERT, FIO01-J.</ a > - Create
73- files with appropriate access permissions</ li >
74- < li > < a href ="https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions "> CERT, FIO06-C.</ a > - Create
75- files with appropriate access permissions</ li >
72+ < li > CWE - < a href ="https://cwe.mitre.org/data/definitions/732 "> CWE-732 - Incorrect Permission Assignment for Critical Resource</ a > </ li >
7673 < li > STIG Viewer - < a href ="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222430 "> Application Security and
77- Development: V-222430</ a > - The application must execute without excessive account permissions.</ li >
74+ Development: V-222430</ a > - The application must execute without excessive account permissions</ li >
75+ < li > OWASP - < a href ="https://owasp.org/Top10/A01_2021-Broken_Access_Control/ "> Top 10 2021 Category A1 - Broken Access Control</ a > </ li >
76+ < li > OWASP - < a href ="https://owasp.org/Top10/A04_2021-Insecure_Design/ "> Top 10 2021 Category A4 - Insecure Design</ a > </ li >
77+ < li > OWASP - < a href ="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control "> Top 10 2017 Category A5 - Broken Access Control -
78+ OWASP Top 10 2017</ a > </ li >
79+ < li > CERT FIO01-J - < a href ="https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions "> CERT
80+ guideline for creating files with appropriate access permissions in Java</ a > </ li >
7881</ ul >
7982
![hashicorp-vault-sonar-prod[bot]](https://avatars.githubusercontent.com/in/228626?v=4&size=40){kind=avatar}
0 commit comments