CWE-278: Insecure Preserved Inherited Permissions
Learn about CWE-278 (Insecure Preserved Inherited Permissions), its security impact, exploitation methods, and prevention guidelines.
What is Insecure Preserved Inherited Permissions?
• Overview: Insecure Preserved Inherited Permissions (CWE-278) occurs when a software product inherits insecure permissions for an object, such as when copying files from an archive, without user awareness or intervention, potentially exposing the system to unauthorized access.
• Exploitation Methods:
- Attackers can exploit this vulnerability by accessing files or resources with inherited insecure permissions, granting them unauthorized access or privileges.
- Common attack patterns include examining file systems for improperly set permissions, exploiting archive extraction processes, and leveraging inherited permissions to escalate privileges or access sensitive data.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access to files or system resources, leading to data breaches or privilege escalation.
- Potential cascading effects involve compromise of system integrity, unauthorized data modification, and further exploitation of the system.
- Business impact includes loss of sensitive information, damage to reputation, and potential legal liabilities due to non-compliance with security regulations.
• Prevention Guidelines:
- Specific code-level fixes include ensuring that the permissions of files and objects are explicitly set to secure defaults when extracted or copied.
- Security best practices involve auditing and managing file permissions, avoiding the use of default or inherited permissions without review, and implementing least privilege principles.
- Recommended tools and frameworks include using automated security testing tools to identify insecure permissions, employing secure coding practices, and leveraging security frameworks that enforce strict permission handling.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
import shutil
import os
def copy_file_with_permissions(source, destination):
# Vulnerable: shutil.copy2 preserves file metadata including permissions
# If the source file has insecure permissions, they will be copied to the destination
shutil.copy2(source, destination)
print(f"File copied from {source} to {destination} with original permissions.")
# Example usage
copy_file_with_permissions('example.txt', '/backup/example.txt')
Explanation
In this vulnerable example, the shutil.copy2 function is used to copy a file from source to destination. While this function is convenient because it preserves file metadata, including permissions, it can introduce security risks. If the source file has insecure permissions (e.g., world-writable), those permissions are inherited by the destination file, potentially exposing sensitive data to unauthorized access.
How to fix Insecure Preserved Inherited Permissions?
To fix this vulnerability, it is important to explicitly set secure permissions on the copied files, rather than blindly inheriting them from the source. Use shutil.copy to avoid copying file metadata, and then set specific permissions using os.chmod. This ensures the copied file has secure permissions regardless of the source file's permissions.
Fixed Code Example
import shutil
import os
import stat
def copy_file_with_secure_permissions(source, destination):
# Use shutil.copy to avoid copying file metadata, including permissions
shutil.copy(source, destination)
# Securely setting the file permissions to read/write for the owner only
os.chmod(destination, stat.S_IRUSR | stat.S_IWUSR)
print(f"File copied from {source} to {destination} with secure permissions.")
# Example usage
copy_file_with_secure_permissions('example.txt', '/backup/example.txt')
Explanation
In the fixed code example, shutil.copy is used instead of shutil.copy2 to copy the file without preserving its metadata. After the file is copied, os.chmod is used to set the file permissions to a secure level, allowing only the owner to read and write (stat.S_IRUSR | stat.S_IWUSR). This prevents any insecure permissions from being inherited, reducing the risk of unauthorized access to the copied file.