# Incorrect Permission Assignment for Critical Resource (CWE-732) The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. - Prevalence: Alta Frecuentemente explotada - Impact: Medio Se recomienda revisión - Prevention: Documentada 2 ejemplos de corrección **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a resource is given permissions that are more open than necessary, unintended actors can access or modify that resource. This is especially critical for configuration files, executables, and data files. ## Prevention ### Kubernetes Disable automatic service account token mounting when API access is not needed Enable read-only root filesystem and use emptyDir volumes for writable paths ## Warning Signs - [MEDIUM] Container allows writes to the root filesystem. - [MEDIUM] containers that allow writes to the root filesystem - [LOW] Service account token is automatically mounted into the pod. - [LOW] pods with service account token auto-mounting enabled ## Consequences - Leer datos de la aplicación - Modificar datos de la aplicación - Ejecutar código no autorizado ## Mitigations - Sigue el principio de mínimo privilegio - Gestiona con cuidado los permisos de todos los recursos críticos - Usa modos de archivo y ACL apropiados ## Detection - Total rules: 2 - Languages: yaml ## Rules by Language ### Yaml (2 rules) - **Service Account Token Auto-Mounted** [LOW]: Detects pods with service account token auto-mounting enabled. - Remediation: Disable auto-mounting if not needed. ```yaml spec: automountServiceAccountToken: false ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/automount-service-account - **Writable Root Filesystem** [MEDIUM]: Detects containers that allow writes to the root filesystem. - Remediation: Enable read-only root filesystem. ```yaml securityContext: readOnlyRootFilesystem: true ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/writable-root-filesystem