Permissive file assignment
- Rule ID: python_lang_file_permissions
- Languages: python
- Source: file_permissions.yml
Description
Permissive file assignment exposes sensitive information by granting unnecessary read, write, or execute permissions to users without ownership privileges.
Remediations
- Do keep file permissions as restrictive as possible to minimize the risk of unauthorized access. Use the principle of least privilege to only grant permissions that are absolutely necessary for the operation of the application.
os.chmod("my_private_file.txt", 0o600) # only you have full read and write access
- Do prefer assigning file permissions to 'groups' rather than 'other' when you need to extend privileges to users who are not the owners. This approach helps in limiting access to a more controlled set of users.
- Do not set a permissive
umask
value, as this can lead to overly permissive default permissions for new files and directories
os.umask(0) # unsafe
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=python_lang_file_permissions
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=python_lang_file_permissions