In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the
members of the group assigned to this resource.
Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
information, disrupt services or elevate privileges.
Ask Yourself Whether
- The application is designed to be run on a multi-user environment.
- Corresponding files and directories may contain confidential information.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
The most restrictive possible permissions should be assigned to files and directories.
Sensitive Code Example
Node.js fs
const fs = require('fs');
fs.chmodSync("/tmp/fs", 0o777); // Sensitive
const fs = require('fs');
const fsPromises = fs.promises;
fsPromises.chmod("/tmp/fsPromises", 0o777); // Sensitive
const fs = require('fs');
const fsPromises = fs.promises
async function fileHandler() {
let filehandle;
try {
filehandle = fsPromises.open('/tmp/fsPromises', 'r');
filehandle.chmod(0o777); // Sensitive
} finally {
if (filehandle !== undefined)
filehandle.close();
}
}
Node.js process.umask
const process = require('process');
process.umask(0o000); // Sensitive
Compliant Solution
Node.js fs
const fs = require('fs');
fs.chmodSync("/tmp/fs", 0o770); // Compliant
const fs = require('fs');
const fsPromises = fs.promises;
fsPromises.chmod("/tmp/fsPromises", 0o770); // Compliant
const fs = require('fs');
const fsPromises = fs.promises
async function fileHandler() {
let filehandle;
try {
filehandle = fsPromises.open('/tmp/fsPromises', 'r');
filehandle.chmod(0o770); // Compliant
} finally {
if (filehandle !== undefined)
filehandle.close();
}
}
Node.js process.umask
const process = require('process');
process.umask(0o007); // Compliant
See
