← back to index

S2612 — File permissions should not be set to world-accessible values

Language: C#  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

Why is this an issue?

In Windows, "Everyone" group is similar and includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

What is the potential impact?

Unauthorized access to sensitive information

When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.

Service disruption and data corruption

Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.

Privilege escalation

When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.

How to fix it in .NET Framework

Instead of granting access to "Everyone", explicitly deny access to this group or grant permissions only to specific users or groups that require access. Use AccessControlType.Deny to prevent the "Everyone" group from accessing the file.

Code examples

Noncompliant code example

var accessRule = new FileSystemAccessRule(
    "Everyone",
    FileSystemRights.FullControl,
    AccessControlType.Allow);

var fileSecurity = File.GetAccessControl("path");
fileSecurity.AddAccessRule(accessRule); // Noncompliant
File.SetAccessControl("fileName", fileSecurity);

Compliant solution

var accessRule = new FileSystemAccessRule(
    "Everyone",
    FileSystemRights.FullControl,
    AccessControlType.Deny);

var fileSecurity = File.GetAccessControl("path");
fileSecurity.AddAccessRule(accessRule);
File.SetAccessControl("path", fileSecurity);

How to fix it in .NET

Use AccessControlType.Deny instead of AccessControlType.Allow when setting access rules for the "Everyone" group. This prevents the broad group from having write or full control access to files.

Code examples

Noncompliant code example

var accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Allow);
var fileInfo = new FileInfo("path");
var fileSecurity = fileInfo.GetAccessControl();

fileSecurity.SetAccessRule(accessRule); // Noncompliant
fileInfo.SetAccessControl(fileSecurity);

Compliant solution

var accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny);
var fileInfo = new FileInfo("path");
var fileSecurity = fileInfo.GetAccessControl();

fileSecurity.SetAccessRule(accessRule);
fileInfo.SetAccessControl(fileSecurity);

How to fix it in Mono

Avoid setting permissions that grant read, write, or execute access to "others" (all users). Instead, restrict permissions to the file owner or specific groups. Use FileAccessPermissions.UserExecute or other restrictive permission flags that limit access to the owner only.

Code examples

Noncompliant code example

var fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path");
fsEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExecute; // Noncompliant

Compliant solution

var fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path");
fsEntry.FileAccessPermissions = FileAccessPermissions.UserExecute;

Resources

Documentation

Standards