[{"data":1,"prerenderedAt":235},["ShallowReactive",2],{"blog-vulnerabilities/insecure-file-permissions":3},{"id":4,"title":5,"body":6,"category":215,"date":216,"dateModified":216,"description":217,"draft":218,"extension":219,"faq":220,"featured":218,"headerVariant":221,"image":220,"keywords":220,"meta":222,"navigation":223,"ogDescription":224,"ogTitle":220,"path":225,"readTime":226,"schemaOrg":227,"schemaType":228,"seo":229,"sitemap":230,"stem":231,"tags":232,"twitterCard":233,"__hash__":234},"blog/blog/vulnerabilities/insecure-file-permissions.md","Insecure File Permissions Explained",{"type":7,"value":8,"toc":206},"minimark",[9,16,21,50,54,130,145,150,159,175,194],[10,11,12],"tldr",{},[13,14,15],"p",{},"Insecure file permissions let unauthorized users read or modify sensitive files. Common issues include world-readable .env files, executable uploads, and group-writable config files. Set restrictive permissions (600 for secrets, 644 for public files) and run processes with minimal privileges.",[17,18,20],"h2",{"id":19},"common-permission-problems","Common Permission Problems",[22,23,24,32,38,44],"ul",{},[25,26,27,31],"li",{},[28,29,30],"strong",{},"World-readable secrets:"," .env, private keys with 644 permissions",[25,33,34,37],{},[28,35,36],{},"Writable config files:"," Config files modifiable by web server user",[25,39,40,43],{},[28,41,42],{},"Executable uploads:"," User-uploaded files with execute permission",[25,45,46,49],{},[28,47,48],{},"Running as root:"," Web server with unnecessary privileges",[17,51,53],{"id":52},"recommended-permissions","Recommended Permissions",[55,56,57,73],"table",{},[58,59,60],"thead",{},[61,62,63,67,70],"tr",{},[64,65,66],"th",{},"File Type",[64,68,69],{},"Permission",[64,71,72],{},"Numeric",[74,75,76,88,99,110,121],"tbody",{},[61,77,78,82,85],{},[79,80,81],"td",{},".env, secrets, keys",[79,83,84],{},"Owner read/write only",[79,86,87],{},"600",[61,89,90,93,96],{},[79,91,92],{},"Config files",[79,94,95],{},"Owner write, all read",[79,97,98],{},"644",[61,100,101,104,107],{},[79,102,103],{},"Executable scripts",[79,105,106],{},"Owner all, others read/execute",[79,108,109],{},"755",[61,111,112,115,118],{},[79,113,114],{},"Upload directories",[79,116,117],{},"Owner all, no execute",[79,119,120],{},"700",[61,122,123,126,128],{},[79,124,125],{},"User uploads",[79,127,84],{},[79,129,87],{},[131,132,134],"code-block",{"label":133},"Setting proper permissions",[135,136,141],"pre",{"className":137,"code":139,"language":140},[138],"language-text","# Secrets - owner only\nchmod 600 .env\nchmod 600 private-key.pem\n\n# Config files - readable by all\nchmod 644 config.json\n\n# Upload directory - restrict access\nchmod 700 /var/uploads\n\n# When creating files in Node.js\nfs.writeFileSync('secret.txt', data, { mode: 0o600 });\n","text",[142,143,139],"code",{"__ignoreMap":144},"",[146,147,149],"h3",{"id":148},"container-considerations","Container Considerations",[131,151,153],{"label":152},"Dockerfile best practices",[135,154,157],{"className":155,"code":156,"language":140},[138],"# Don't run as root\nFROM node:18-alpine\n\n# Create non-root user\nRUN addgroup -S app && adduser -S app -G app\n\n# Set ownership\nCOPY --chown=app:app . /app\n\n# Switch to non-root user\nUSER app\n",[142,158,156],{"__ignoreMap":144},[160,161,162,169],"faq-section",{},[163,164,166],"faq-item",{"question":165},"Do permissions matter in containers?",[13,167,168],{},"Yes. If the container runs as root or there is a container escape, file permissions are your next line of defense. Always follow least privilege.",[163,170,172],{"question":171},"What about cloud storage (S3)?",[13,173,174],{},"Cloud permissions are separate from Unix permissions. Ensure S3 buckets are not publicly accessible and use IAM policies to restrict access.",[176,177,178,184,189],"related-articles",{},[179,180],"related-card",{"description":181,"href":182,"title":183},"File access issues","/blog/vulnerabilities/path-traversal","Path Traversal",[179,185],{"description":186,"href":187,"title":188},"Secrets in files","/blog/vulnerabilities/hardcoded-credentials","Hardcoded Credentials",[179,190],{"description":191,"href":192,"title":193},"Configuration issues","/blog/vulnerabilities/security-misconfiguration","Security Misconfiguration",[195,196,199,203],"cta-box",{"href":197,"label":198},"/","Start Free Scan",[17,200,202],{"id":201},"check-your-permissions","Check Your Permissions",[13,204,205],{},"Our scanner audits file permissions in your deployed application.",{"title":144,"searchDepth":207,"depth":207,"links":208},2,[209,210,214],{"id":19,"depth":207,"text":20},{"id":52,"depth":207,"text":53,"children":211},[212],{"id":148,"depth":213,"text":149},3,{"id":201,"depth":207,"text":202},"vulnerabilities","2026-01-19","Improper file permissions can expose sensitive files to unauthorized users. Learn how to set proper permissions for config files, uploads, and secrets.",false,"md",null,"red",{"noindex":223},true,"Learn how file permission issues can expose your data.","/blog/vulnerabilities/insecure-file-permissions","5 min read","[object Object]","TechArticle",{"title":5,"description":217},{"loc":225},"blog/vulnerabilities/insecure-file-permissions",[],"summary_large_image","nDIsY2fFbLn1C5vTPk3dZismHtEB58wQBlvXJWF4_k8",1775843926570]