B103: Test for setting permissive file permissions¶
POSIX based operating systems utilize a permissions model to protect access to
parts of the file system. This model supports three roles “owner”, “group”
and “world” each role may have a combination of “read”, “write” or “execute”
flags sets. Python provides
chmod to manipulate POSIX style permissions.
This plugin test looks for the use of
chmod and will alert when it is used
to set particularly permissive control flags. A MEDIUM warning is generated if
a file is set to group write or executable and a HIGH warning is reported if a
file is set world write or executable. Warnings are given with HIGH confidence.
>> Issue: Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:15 14 os.chmod('/etc/hosts', 0o777) 15 os.chmod('/tmp/oh_hai', 0x1ff) 16 os.chmod('/etc/passwd', stat.S_IRWXU) >> Issue: Chmod setting a permissive mask 0777 on file (key_file). Severity: High Confidence: High CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:17 16 os.chmod('/etc/passwd', stat.S_IRWXU) 17 os.chmod(key_file, 0o777) 18
New in version 0.9.0.
Changed in version 1.7.3: CWE information added
Changed in version 1.7.5: Added checks for S_IWGRP and S_IXOTH