Language: C# | Type: VULNERABILITY | Severity: Major
Tags: cwe, former-hotspot
In Windows, "Everyone" group is similar and includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts.
Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.
When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.
Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.
When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.
Instead of granting access to "Everyone", explicitly deny access to this group or grant permissions only to specific users or groups that require
access. Use AccessControlType.Deny to prevent the "Everyone" group from accessing the file.
var accessRule = new FileSystemAccessRule(
"Everyone",
FileSystemRights.FullControl,
AccessControlType.Allow);
var fileSecurity = File.GetAccessControl("path");
fileSecurity.AddAccessRule(accessRule); // Noncompliant
File.SetAccessControl("fileName", fileSecurity);
var accessRule = new FileSystemAccessRule(
"Everyone",
FileSystemRights.FullControl,
AccessControlType.Deny);
var fileSecurity = File.GetAccessControl("path");
fileSecurity.AddAccessRule(accessRule);
File.SetAccessControl("path", fileSecurity);
Use AccessControlType.Deny instead of AccessControlType.Allow when setting access rules for the "Everyone" group. This
prevents the broad group from having write or full control access to files.
var accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Allow);
var fileInfo = new FileInfo("path");
var fileSecurity = fileInfo.GetAccessControl();
fileSecurity.SetAccessRule(accessRule); // Noncompliant
fileInfo.SetAccessControl(fileSecurity);
var accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny);
var fileInfo = new FileInfo("path");
var fileSecurity = fileInfo.GetAccessControl();
fileSecurity.SetAccessRule(accessRule);
fileInfo.SetAccessControl(fileSecurity);
Avoid setting permissions that grant read, write, or execute access to "others" (all users). Instead, restrict permissions to the file owner or
specific groups. Use FileAccessPermissions.UserExecute or other restrictive permission flags that limit access to the owner only.
var fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path");
fsEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExecute; // Noncompliant
var fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path");
fsEntry.FileAccessPermissions = FileAccessPermissions.UserExecute;