Incorrect permission assignment for critical resource
- Rule ID: go_gosec_file_permissions_mkdir
- Languages: go
- Source: mkdir.yml
Description
Setting correct directory permissions is critical to maintaining the security of a system. Directories with overly permissive access rights can become a vector for security breaches, allowing unauthorized users to add, remove, or change files, potentially leading to the execution of malicious code, data leaks, or system compromise.
Remediations
When creating directories, apply the principle of least privilege to ensure users have only the permissions necessary for their role:
✅ Restrict Directory Permissions
Use permissions that restrict access to what is strictly necessary for the operation of the application. Avoid overly permissive settings such as 0777
, which allow all users to read, write, and execute.
✅ Use Go’s os
Package
Leverage the os.Mkdir
or os.MkdirAll
function with appropriate permission flags to create directories.
✅ Recommended Directory Permissions
0700
gives the owner read, write, and execute permissions, with no access for group and others, suitable for private user data.0750
gives the owner full permissions, the group read and execute permissions, and no permissions for others, which is commonly used for directories that need to be shared within a group.
import (
"log"
"os"
)
func main() {
// Use os.Mkdir to create a directory with restricted permissions
// 0700 permission: Full control for the owner, no permissions for group and others
err := os.Mkdir("secure_directory", 0700)
if err != nil {
log.Fatalf("failed to create directory: %s", err)
}
// Continue setting up the directory here
}
✅ Verify Directory Permissions
After creating a directory, confirm the permissions to ensure they have been set correctly.
✅ Set Secure Umask
Consider setting a secure umask in your application or user profile to ensure that all newly created files and directories have restrictive permissions by default.
✅ Regular Auditing
Implement regular checks of directory permissions as part of your security auditing procedures to identify and correct any permissions that are too broad.
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_file_permissions_mkdir
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_file_permissions_mkdir
Ready to take the next step? Learn more about Bearer Cloud.