Incorrect default permissions

Description

The application has been detected setting file permissions that are too permissive. This configuration could allow unauthorized users to read, write, or execute files, potentially leading to information disclosure or other security vulnerabilities.

Remediations

To enhance security, file permissions should be set to more restrictive values, especially when the files contain sensitive information:

✅ Use Restrictive File Permissions

Assign file permissions to limit access appropriately based on the application's requirements.

  • 0400: Grants read-only access to the file for the owner.
  • 0200: Grants write-only access to the file for the owner.
  • 0600: Grants read and write access to the file for the owner.

✅ Apply Permissions During File Creation

When creating or modifying files, set the appropriate permissions to prevent unauthorized access.

import (
"os"
"log"
)

func main() {
// Data to be written to the file
dat := []byte("sensitive data")

// Write the data to 'file.txt' with read and write permissions for the owner only
if err := os.WriteFile("file.txt", dat, 0600); err != nil {
log.Fatalf("failed to write file: %s", err)
}
// File is now safely written with restricted permissions
}

✅ Review File Permission Settings

Regularly audit the permissions of files to ensure they conform to the principle of least privilege.

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_poor_write_permissions

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_poor_write_permissions

Ready to take the next step? Learn more about Bearer Cloud.