>/i SrSSKrSSKrSSKJr SSKJr Sr\R"S5\R"S5S55r g) aG ================================================== B103: Test for setting permissive file permissions ================================================== POSIX based operating systems utilize a permissions model to protect access to parts of the file system. This model supports three roles "owner", "group" and "world" each role may have a combination of "read", "write" or "execute" flags sets. Python provides ``chmod`` to manipulate POSIX style permissions. This plugin test looks for the use of ``chmod`` and will alert when it is used to set particularly permissive control flags. A MEDIUM warning is generated if a file is set to group write or executable and a HIGH warning is reported if a file is set world write or executable. Warnings are given with HIGH confidence. :Example: .. code-block:: none >> Issue: Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:15 14 os.chmod('/etc/hosts', 0o777) 15 os.chmod('/tmp/oh_hai', 0x1ff) 16 os.chmod('/etc/passwd', stat.S_IRWXU) >> Issue: Chmod setting a permissive mask 0777 on file (key_file). Severity: High Confidence: High CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:17 16 os.chmod('/etc/passwd', stat.S_IRWXU) 17 os.chmod(key_file, 0o777) 18 .. seealso:: - https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html - https://en.wikipedia.org/wiki/File_system_permissions - https://security.openstack.org - https://cwe.mitre.org/data/definitions/732.html .. versionadded:: 0.9.0 .. versionchanged:: 1.7.3 CWE information added .. versionchanged:: 1.7.5 Added checks for S_IWGRP and S_IXOTH N)issue)test_propertiescU[R-=(dG U[R-=(d- U[R-=(d U[R-$)N)statS_IWOTHS_IWGRPS_IXGRPS_IXOTH)modes e/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/general_bad_file_permissions.py_stat_is_dangerousr ?sH t||  $,,   $,,   $,,  CallB103c SUR;aURS:XaURS5nUb[U[5(a[ U5(aU[ R-(a[RnO[RnURS5nUcSn[R"U[R[RRS[U5<SU<S3S 9$ggggg) Nchmodrz NOT PARSEDz Chmod setting a permissive mask z on file (z).)severity confidencecwetext)call_function_namecall_args_countget_call_arg_at_position isinstanceintr rrbanditHIGHMEDIUMIssuerCweINCORRECT_PERMISSION_ASSIGNMENToct)contextr sev_levelfilenames r set_bad_file_permissionsr(Hs',,,  " "a '33A6D tS))&t,,$,,& & I & I";;A>#+H||&%{{ AA4y(, -*! (-r) __doc__rr bandit.corerrtestr checkstest_idr(rr r/sL 2f /Vfr