# Incorrect Permission Assignment for Critical Resource (CWE-732) The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. - Prevalence: Hoch Häufig ausgenutzt - Impact: Mittel Review empfohlen - Prevention: Dokumentiert 2 Fix-Beispiele **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a resource is given permissions that are more open than necessary, unintended actors can access or modify that resource. This is especially critical for configuration files, executables, and data files. ## Prevention ### Kubernetes Disable automatic service account token mounting when API access is not needed Enable read-only root filesystem and use emptyDir volumes for writable paths ## Warning Signs - [MEDIUM] Container allows writes to the root filesystem. - [MEDIUM] containers that allow writes to the root filesystem - [LOW] Service account token is automatically mounted into the pod. - [LOW] pods with service account token auto-mounting enabled ## Consequences - Anwendungsdaten lesen - Anwendungsdaten ändern - Nicht autorisierten Code ausführen ## Mitigations - Dem Prinzip der geringsten Rechte folgen - Berechtigungen für alle kritischen Ressourcen sorgfältig verwalten - Geeignete Dateimodi und ACLs verwenden ## Detection - Total rules: 2 - Languages: yaml ## Rules by Language ### Yaml (2 rules) - **Service Account Token Auto-Mounted** [LOW]: Detects pods with service account token auto-mounting enabled. - Remediation: Disable auto-mounting if not needed. ```yaml spec: automountServiceAccountToken: false ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/automount-service-account - **Writable Root Filesystem** [MEDIUM]: Detects containers that allow writes to the root filesystem. - Remediation: Enable read-only root filesystem. ```yaml securityContext: readOnlyRootFilesystem: true ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/writable-root-filesystem