Language: VB.NET | Type: VULNERABILITY | Severity: Major
Tags: cwe, former-hotspot
In Windows, "Everyone" group is similar and includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts.
Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.
When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.
Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.
When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.
Replace the AccessControlType.Allow with AccessControlType.Deny when creating file system access rules for the "Everyone"
group. This explicitly denies permissions rather than granting them, ensuring that broad user groups cannot access the file.
Dim unsafeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow)
Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(unsafeAccessRule) ' Noncompliant
File.SetAccessControl("fileName", fileSecurity)
Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)
Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(safeAccessRule)
File.SetAccessControl("path", fileSecurity)
Use AccessControlType.Deny instead of AccessControlType.Allow when setting access rules for the "Everyone" group. This
prevents the broad group from having write or full control access to files.
Dim accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Allow)
Dim fileInfo = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()
fileSecurity.SetAccessRule(accessRule) ' Noncompliant
fileInfo.SetAccessControl(fileSecurity)
Dim accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)
Dim fileInfo = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()
fileSecurity.SetAccessRule(accessRule)
fileInfo.SetAccessControl(fileSecurity)
Avoid setting permissions that grant read, write, or execute access to "others" (all users). Instead, restrict permissions to the file owner or
specific groups. Use FileAccessPermissions.UserExecute or other restrictive permission flags that limit access to the owner only.
Dim fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path")
fsEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExecute ' Noncompliant
Dim fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path")
fsEntry.FileAccessPermissions = FileAccessPermissions.UserExecute