Improper Ownership Management
Weakness ID: 282 (Weakness Class)Status: Draft
+ Description

Description Summary

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-1999-1125Program runs setuid root but relies on a configuration file owned by a non-root user.
+ Potential Mitigations

Very carefully manage the setting, management and handling of privileges and permissions. Explicitly manage trust zones in the software.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory264Permissions, Privileges, and Access Controls
Development Concepts (primary)699
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base283Unverified Ownership
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base708Incorrect Ownership Assignment
Development Concepts (primary)699
Research Concepts (primary)1000
+ Affected Resources
  • File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROwnership errors
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
17Accessing, Modifying or Executing Executable Files
35Leverage Executable Code in Nonexecutable Files
+ Maintenance Notes

The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Taxonomy Mappings
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Ownership Issues