general_bad_file_permissions permits most dangerous flag

[tonybaloney]

The logic in general_bad_file_permissions seems to ignore stat.S_IXOTH (execute by others), which is the most dangerous of all the POSIX file flags.

It raises a high severity issue for S_IWOTH (write by others) and it raises a medium severity issue for S_IXGRP (execute by group).

The following test raises no issues:

import os
import stat

os.chmod('/path/to/binary/i/just/uploaded', stat.S_IXOTH)

The guide referenced in the file documents why it is bad to have this flag:
https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html#testing-guide

[lukehinds]

OK, I think there is a fair inclusion. Pycharm also marks the same for S_IXOTH?

https://pycharm-security.readthedocs.io/en/latest/checks/OS100.html

What do you think of adding stat.S_IWGRP group users can write as well @tonybaloney ?

[tonybaloney]

Yes, I think stat.S_IWGRP should be included as well.

I can update #570 to have:

• S_IXGRP or S_IWGRP = medium
• S_IXOTH or S_IWOTH = high

[lukehinds]

sounds good, thanks @tonybaloney