Incorrect Execution-Assigned Permissions
Weakness ID: 279 (Weakness Variant)Status: Draft
+ Description

Description Summary

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
+ Time of Introduction
  • Architecture and Design
  • Operation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-0265Log files opened read/write.
CVE-2003-0876Log files opened read/write.
CVE-2002-1694Log files opened read/write.
+ Potential Mitigations

Very carefully manage the setting, management and handling of permissions. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory275Permission Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class732Incorrect Permission Assignment for Critical Resource
Research Concepts (primary)1000
ChildOfCategoryCategory743CERT C Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsecure execution-assigned permissions
CERT C Secure CodingFIO06-CCreate files with appropriate access permissions
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
19Embedding Scripts within Scripts
81Web Logs Tampering
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Insecure Execution-assigned Permissions
Back to top