Why is this an issue?

In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the members of the group assigned to this resource.

Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive information, disrupt services or elevate privileges.

How to fix it in Core PHP

The most restrictive possible permissions should be assigned to files and directories.

Code Examples

Noncompliant Code Example

chmod("foo", 0777); // Noncompliant

umask(0); // Noncompliant
umask(0750); // Noncompliant

Compliant Solution

chmod("foo", 0750); // Compliant

umask(0027); // Compliant

How to fix it in Laravel

The most restrictive possible permissions should be assigned to files and directories.

Code Examples

Noncompliant Code Example

use Illuminate\Filesystem\Filesystem;

$fs = new Filesystem();
$fs->chmod("foo", 0777); // Noncompliant

Compliant Solution

use Illuminate\Filesystem\Filesystem;

$fs = new Filesystem();
$fs->chmod("foo", 0750); // Compliant

How to fix it in Symfony

The most restrictive possible permissions should be assigned to files and directories.

Code Examples

Noncompliant Code Example

use Symfony\Component\Filesystem\Filesystem;

$fs = new Filesystem();
$fs->chmod("foo", 0777); // Noncompliant

Compliant Solution

use Symfony\Component\Filesystem\Filesystem;

$fs = new Filesystem();
$fs->chmod("foo", 0750); // Compliant

Resources

• OWASP - Top 10 2021 Category A1 - Broken Access Control
• OWASP - Top 10 2021 Category A4 - Insecure Design
• OWASP - Top 10 2017 Category A5 - Broken Access Control
• OWASP File Permission
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• CWE - CWE-266 - Incorrect Privilege Assignment
• STIG Viewer - Application Security and Development: V-222430 - The application must execute without excessive account permissions.
• Symfony Filesystem
• Laravel Filesystem