Why is this an issue?

In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the members of the group assigned to this resource.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

What is the potential impact?

Unauthorized access to sensitive information

When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.

Service disruption and data corruption

Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.

Privilege escalation

When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.

How to fix it

When using the ADD command, avoid granting full permissions (777) to all users. Instead, use restrictive permissions that only grant necessary access to the owner and group. The permission mode 754 grants read, write, and execute to the owner, read and execute to the group, and only read to others.

Code examples

Noncompliant code example

ADD --chmod=777 src dst # Noncompliant

Compliant solution

ADD --chmod=754 src dst

Resources

Documentation

• OWASP File Permission Testing Guide - OWASP guidance on testing file permissions in web applications
• Docker ADD command - Official Docker documentation for the ADD command
• Docker COPY command - Official Docker documentation for the COPY command

Standards

• CWE - CWE-266 - Incorrect Privilege Assignment
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222430 - The application must execute without excessive account permissions