We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The logic in general_bad_file_permissions seems to ignore stat.S_IXOTH (execute by others), which is the most dangerous of all the POSIX file flags.
general_bad_file_permissions
stat.S_IXOTH
It raises a high severity issue for S_IWOTH (write by others) and it raises a medium severity issue for S_IXGRP (execute by group).
S_IWOTH
S_IXGRP
The following test raises no issues:
import os import stat os.chmod('/path/to/binary/i/just/uploaded', stat.S_IXOTH)
The guide referenced in the file documents why it is bad to have this flag: https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html#testing-guide
The text was updated successfully, but these errors were encountered:
OK, I think there is a fair inclusion. Pycharm also marks the same for S_IXOTH?
S_IXOTH
https://pycharm-security.readthedocs.io/en/latest/checks/OS100.html
What do you think of adding stat.S_IWGRP group users can write as well @tonybaloney ?
stat.S_IWGRP
Sorry, something went wrong.
Yes, I think stat.S_IWGRP should be included as well.
I can update #570 to have:
sounds good, thanks @tonybaloney
tonybaloney
Successfully merging a pull request may close this issue.
The logic in
general_bad_file_permissions
seems to ignorestat.S_IXOTH
(execute by others), which is the most dangerous of all the POSIX file flags.It raises a high severity issue for
S_IWOTH
(write by others) and it raises a medium severity issue forS_IXGRP
(execute by group).The following test raises no issues:
The guide referenced in the file documents why it is bad to have this flag:
https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html#testing-guide
The text was updated successfully, but these errors were encountered: