TL;DR
Insecure file permissions let unauthorized users read or modify sensitive files. Common issues include world-readable .env files, executable uploads, and group-writable config files. Set restrictive permissions (600 for secrets, 644 for public files) and run processes with minimal privileges.
Common Permission Problems
- World-readable secrets: .env, private keys with 644 permissions
- Writable config files: Config files modifiable by web server user
- Executable uploads: User-uploaded files with execute permission
- Running as root: Web server with unnecessary privileges
Recommended Permissions
| File Type | Permission | Numeric |
|---|---|---|
| .env, secrets, keys | Owner read/write only | 600 |
| Config files | Owner write, all read | 644 |
| Executable scripts | Owner all, others read/execute | 755 |
| Upload directories | Owner all, no execute | 700 |
| User uploads | Owner read/write only | 600 |
Setting proper permissions
# Secrets - owner only
chmod 600 .env
chmod 600 private-key.pem
# Config files - readable by all
chmod 644 config.json
# Upload directory - restrict access
chmod 700 /var/uploads
# When creating files in Node.js
fs.writeFileSync('secret.txt', data, { mode: 0o600 });
Container Considerations
Dockerfile best practices
# Don't run as root
FROM node:18-alpine
# Create non-root user
RUN addgroup -S app && adduser -S app -G app
# Set ownership
COPY --chown=app:app . /app
# Switch to non-root user
USER app
Do permissions matter in containers?
Yes. If the container runs as root or there is a container escape, file permissions are your next line of defense. Always follow least privilege.
What about cloud storage (S3)?
Cloud permissions are separate from Unix permissions. Ensure S3 buckets are not publicly accessible and use IAM policies to restrict access.
Check Your Permissions
Our scanner audits file permissions in your deployed application.
Start Free Scan