Incorrect Permission Assignment for Critical Resource
This weakness occurs when a security-critical file, directory, or resource is created with overly permissive access controls, allowing unauthorized users to…
This weakness occurs when a security-critical file, directory, or resource is created with overly permissive access controls, allowing unauthorized users to read or modify it. Common examples include configuration files containing secrets, private keys, database backups, or administrative directories left world-readable or writable. Even a single misconfigured permission can expose sensitive data or enable privilege escalation.
02How It Happens
When applications or system administrators create files or directories, they often rely on default permission masks or fail to explicitly set restrictive permissions. On Unix-like systems, this might mean a file is created with mode 0644 (world-readable) when it should be 0600 (owner-only). On Windows, it might mean an ACL grants "Everyone" or "Authenticated Users" more access than necessary. The vulnerability is especially common in automated deployment scripts, temporary file creation, or when permissions are inherited from a parent directory rather than explicitly set. Developers may also misunderstand the security implications of their chosen permissions, assuming that obscurity or network isolation provides sufficient protection.
03Real-World Impact
An attacker with local access to the system—or remote access via a web shell, container escape, or compromised account—can read sensitive files like private keys, database credentials, API tokens, or configuration secrets. This can lead to lateral movement, privilege escalation, or compromise of downstream systems. In multi-tenant environments (shared hosting, containers, cloud instances), a single misconfigured permission can expose one tenant's data to another. Even if the attacker cannot directly read the file, world-writable permissions on critical resources allow modification or replacement, potentially leading to code execution or denial of service.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import os
import tempfile
# Create a temporary file to store a database password
temp_file = tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.conf')
temp_file.write('db_password=secret123')
temp_file.close()
# File is created with default permissions (often 0o644 on Unix)
# Any user on the system can read it
print(f"Created: {temp_file.name}")
Why it's vulnerable: The temporary file is created with default permissions that allow any user on the system to read its contents, including the database password.
Fixed pattern
import os
import tempfile
# Create a temporary file with restrictive permissions
fd, temp_file = tempfile.mkstemp(suffix='.conf')
try:
# Set permissions to owner-read/write only (0o600)
os.chmod(temp_file, 0o600)
with os.fdopen(fd, 'w') as f:
f.write('db_password=secret123')
print(f"Created: {temp_file}")
finally:
# Clean up
if os.path.exists(temp_file):
os.remove(temp_file)
Vulnerable pattern
<?php
// Create a configuration file with database credentials
$config_content = "<?php\n\$db_user = 'admin';\n\$db_pass = 'secret123';\n";
// File is created with default umask (often 0o022, resulting in 0o644)
// Any user on the server can read it
file_put_contents('/var/www/config.php', $config_content);
// Alternatively, explicitly setting permissive permissions
chmod('/var/www/config.php', 0644);
?>
Why it's vulnerable: The configuration file is readable by any user on the system, exposing database credentials to other applications, users, or processes.
Fixed pattern
<?php
// Create a configuration file with restrictive permissions
$config_content = "<?php\n\$db_user = 'admin';\n\$db_pass = 'secret123';\n";
// Write the file
file_put_contents('/var/www/config.php', $config_content);
// Explicitly set permissions to owner-read/write only (0o600)
chmod('/var/www/config.php', 0600);
// Verify the permissions were applied
$perms = substr(sprintf('%o', fileperms('/var/www/config.php')), -4);
if ($perms !== '0600') {
error_log("Warning: config.php permissions are $perms, expected 0600");
}
?>
05Prevention Checklist
Set explicit, minimal permissions on all files and directories at creation time; do not rely on default umask or inherited permissions.
Use restrictive defaults (e.g., 0o600 for files, 0o700 for directories) and grant additional access only when justified.
Separate sensitive files (keys, credentials, backups) into directories with restricted access; never store them in web-accessible or world-readable locations.
Audit existing permissions regularly on configuration files, private keys, database backups, and administrative directories; use automated tools to flag overly permissive modes.
Document permission requirements in deployment and configuration management scripts; enforce them in CI/CD pipelines and infrastructure-as-code.
Test permission enforcement in staging environments before production deployment; verify that automated tools (containers, package managers, deployment scripts) apply the intended permissions.
06Signs You May Already Be Affected
Check for world-readable or world-writable files in critical locations: run find /path/to/app -type f -perm /077 on Unix systems to list files readable or writable by non-owners. Look for configuration files, private keys, or backups in web-accessible directories or with permissions like 0o644 or 0o666. Review access logs for unexpected reads of sensitive files, or check for unauthorized modifications to critical resources.