← back to index

S2612 — File permissions should not be set to world-accessible values

Language: VB.NET  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

Why is this an issue?

In Windows, "Everyone" group is similar and includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

What is the potential impact?

Unauthorized access to sensitive information

When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models), attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords, personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive disadvantage.

Service disruption and data corruption

Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete important resources, leading to service outages, system instability, data loss, and denial of service.

Privilege escalation

When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.

How to fix it in .NET Framework

Replace the AccessControlType.Allow with AccessControlType.Deny when creating file system access rules for the "Everyone" group. This explicitly denies permissions rather than granting them, ensuring that broad user groups cannot access the file.

Code examples

Noncompliant code example

Dim unsafeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow)

Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(unsafeAccessRule) ' Noncompliant
File.SetAccessControl("fileName", fileSecurity)

Compliant solution

Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)

Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(safeAccessRule)
File.SetAccessControl("path", fileSecurity)

How to fix it in .NET

Use AccessControlType.Deny instead of AccessControlType.Allow when setting access rules for the "Everyone" group. This prevents the broad group from having write or full control access to files.

Code examples

Noncompliant code example

Dim accessRule   = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Allow)
Dim fileInfo     = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()

fileSecurity.SetAccessRule(accessRule) ' Noncompliant
fileInfo.SetAccessControl(fileSecurity)

Compliant solution

Dim accessRule   = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)
Dim fileInfo     = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()

fileSecurity.SetAccessRule(accessRule)
fileInfo.SetAccessControl(fileSecurity)

How to fix it in Mono

Avoid setting permissions that grant read, write, or execute access to "others" (all users). Instead, restrict permissions to the file owner or specific groups. Use FileAccessPermissions.UserExecute or other restrictive permission flags that limit access to the owner only.

Code examples

Noncompliant code example

Dim fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path")
fsEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExecute ' Noncompliant

Compliant solution

Dim fsEntry = UnixFileSystemInfo.GetFileSystemEntry("path")
fsEntry.FileAccessPermissions = FileAccessPermissions.UserExecute

Resources

Documentation

Standards