Why is this an issue?

In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the members of the group assigned to this resource.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

What is the potential impact?

Unauthorized access to sensitive information

When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.

Service disruption and data corruption

Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.

Privilege escalation

When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.

How to fix it

Use fs.chmodSync() with restrictive permissions that exclude the "others" category. Change the permission mode from 0o777 (read, write, execute for all) to 0o770 (read, write, execute for owner and group only).

Code examples

Noncompliant code example

const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o777); // Noncompliant

Compliant solution

const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o770);

Resources

Documentation

• OWASP File Permission Testing Guide - OWASP guidance on testing file permissions in web applications
• Node.js fs module - Official Node.js documentation for the file system module
• Node.js process.umask - Official Node.js documentation for process.umask

Standards

• CWE - CWE-266 - Incorrect Privilege Assignment
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222430 - The application must execute without excessive account permissions
• OWASP - Top 10 2021 Category A1 - Broken Access Control
• OWASP - Top 10 2021 Category A4 - Insecure Design
• OWASP - Top 10 2017 Category A5 - Broken Access Control - OWASP Top 10 2017