The analyzer has detected files with unrestricted access permissions in the application. Specifically, the others group gets the access.
Vulnerabilities related to setting unrestricted file permissions can be categorized under the OWASP Top 10 2021 as follows:
The others group refers to all users and groups except the resource owner. Granting rights to this group may result in unauthorized access.
Look at the example:
public void example() throws IOException {
Path path = Path.of("/path/to/resource");
Files.setPosixFilePermissions(
path,
PosixFilePermissions.fromString("rwxrwxrwx")
);
}In this example, both the owner and all other users get access to the resource (reading, writing, and execution) by the path. This violates the principle of least privilege.
It is essential to enforce maximum access restrictions on files and directories, especially if the resources contain confidential data.
There is a safer option even for non-critical resources. It is to set file permissions to the user and the group, but not to the others group. The code example:
public void example() throws IOException {
Path path = Path.of("/path/to/resource");
Files.setPosixFilePermissions(
path,
PosixFilePermissions.fromString("rwxrwx---")
);
}The analyzer also generates a warning on calling the chmod command with unrestricted permissions:
public void example() throws IOException {
Runtime.getRuntime().exec("chmod a+rw resource.json");
}The argument a+rw means adding (+) read and write (rw) permissions for all (a). A safer option would be, for example, the following command:
public void example() throws IOException {
Runtime.getRuntime().exec("chmod o-rwx,u+rw resource.json");
}This option removes all rights from the 'others' group and grants read and write rights only to the user.