Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2612

Setting loose POSIX file permissions is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure this permission is safe.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Kotlin, TypeScript
    • Covered Languages:
      C#, C, C++, Java, JavaScript, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      FIO01-J., FIO06-C.
    • CWE:
      CWE-732, CWE-266
    • OWASP:
      A5
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      OVERLY_PERMISSIVE_FILE_PERMISSION

      Description

      In Unix, "others" class refers to all users except the owner of the file and the members of the group assigned to this file.
      Granting permissions to this group can lead to unintended access to files.

      Ask Yourself Whether

      • The application is designed to be run on a multi-user environment.
      • Corresponding files and directories may contain confidential information.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      The most restrictive possible permissions should be assigned to files and directories.

      See

        Attachments

          Issue Links

          1.
          C-Family RSPEC-5675 Language-Specification Active Unassigned
          2.
          Java RSPEC-5676 Language-Specification Active Unassigned
          3.
          PHP RSPEC-6083 Language-Specification Active Unassigned
          4.
          Javascript RSPEC-6099 Language-Specification Active Unassigned
          5.
          Python RSPEC-6122 Language-Specification Active Unassigned
          6.
          C#: Setting loose file permissions is security-sensitive RSPEC-6127 Language-Specification Active Unassigned
          7.
          VB.Net RSPEC-6160 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: