Executable Files Excessive Privileges For Others
Description
Detects when files or directories are configured with excessive permissions that grant write access to "others" (world-writable) in Docker files. This creates security risks by allowing any user to modify sensitive files, potentially leading to privilege escalation or system compromise.
Detection Strategy
• Scans Docker files for COPY commands that use --chmod=XXX parameter where the last digit is 3 or 7
• Identifies chmod commands that set numeric permissions ending in 3 or 7
• Flags file permission configurations that grant write access to 'others' group
• Ignores commented lines that start with #
• Validates both direct numeric permissions (e.g. 777) and symbolic notations (e.g. +x, u+s)
Vulnerable code example
# shellcheck shell=bash
USER_DIR="/scr/${USER}"
# Vulnerable: Creates directory with overly permissive permissions
mkdir ${USER_DIR}
chmod 757 ${USER_DIR} # Insecure: Allows write access to others
...✅ Secure code example
# shellcheck shell=bash
# Use more restrictive permissions (owner read/write/execute, group read/execute)
USER_DIR="/scr/${USER}"
# Create directory with secure default permissions and quote variables
mkdir -p "${USER_DIR}" # -p ensures parent directories exist
chmod 750 "${USER_DIR}" # Only owner can write, group can read/execute...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.