Skip to content

os — incorrect permission

Incorrect Permission Assignment for Critical Resource using os Module

This rule identifies instances in code where potentially risky file or directory permission modes are being set using functions like chmod, fchmod, mknod, open, lchmod, and similar system calls. Setting inappropriate permission modes can lead to security vulnerabilities, including unauthorized access, data leakage, or privilege escalation.

Setting overly permissive modes (e.g., 0777, 0666) can expose files or directories to unauthorized access or modification. The rule flags instances where the mode may pose a security risk, particularly when:

  • Write permissions are granted to others (group or world): Modes like 0666 (read/write for everyone) or 0777 (read/write/execute for everyone) are inherently dangerous.
  • Inappropriate permissions for sensitive files: Configuration files, credential files, and other sensitive files should not be globally readable or writable.

Examples

os_chmod_o755_binop_stat.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
import os
import stat


# 0o755 for rwxr-xr-x
os.chmod(
    "example.txt",
    stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR | stat.S_IRGRP | stat.S_IXGRP |
    stat.S_IROTH | stat.S_IXOTH,
)
Example Output 
> precli tests/unit/rules/python/stdlib/os/examples/os_chmod_o755_binop_stat.py
⚠️  Warning on line 8 in tests/unit/rules/python/stdlib/os/examples/os_chmod_o755_binop_stat.py
PY036: Incorrect Permission Assignment for Critical Resource
Mode '0o755' grants excessive permissions, potentially allowing unauthorized access or modification.

Remediation

  • Restrict file permissions: Use more restrictive permission modes that limit access to only the necessary users.
  • Review file sensitivity: Ensure that sensitive files are protected with the appropriate permissions.
  • Apply the principle of least privilege: Only grant the minimum required permissions for the intended functionality.

Safer Permissions Examples:

  • For general files: 0644 (read/write for owner, read-only for group and others)
  • For sensitive files: 0600 (read/write for owner only)
  • For executable scripts: 0755 (read/write/execute for owner, read/execute for group and others)
os_chmod_o755_binop_stat.py
1
2
3
4
5
6
7
8
9
import os
import stat


# 0o644 for rw-r--r--
os.chmod(
    "example.txt",
    stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH,
)

Default Configuration

enabled = true
level = "warning"
umask = 0o022

See also

Info

New in version 0.6.2