Insecure File Permissions
ID |
go.insecure_file_permissions |
Severity |
low |
Resource |
Access Control |
Language |
Go |
Tags |
CWE:732, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.6 |
Description
Insecure file permissions occur when files are assigned permissions that are too permissive, allowing unauthorized users to access or modify them.
Rationale
Setting insecure file permissions is a common vulnerability that can lead to unauthorized access or modification of files containing sensitive information. It often arises from using overly permissive settings when creating or modifying files through code, such as with the os.chmod function in Python.
Here is a Golang example illustrating the problem:
package main
import (
"fmt"
"os"
)
func main() {
fileName := "sensitive_file.txt"
// Create the file
file, err := os.Create(fileName)
if err != nil {
fmt.Println("Error creating file:", err)
return
}
file.Close()
// Insecurely set file permissions to be readable and writable by everyone
err = os.Chmod(fileName, 0777) // FLAW
if err != nil {
fmt.Println("Error changing file permissions:", err)
}
}Remediation
To remediate this vulnerability, carefully set file permissions to the least permissive setting required for the application’s functionality, ensuring that only authorized users have access.
Try to use these values whenever possible:
-
0400 - Read only access
-
0200 - Write only access
-
0600 - Read / Write access
References
-
CWE-732 : Incorrect Permission Assignment for Critical Resource.