# Incorrect Permission Assignment for Critical Resource (CWE-732)

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 2개의 수정 예시

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

When a resource is given permissions that are more open than necessary, unintended actors can access or modify that resource. This is especially critical for configuration files, executables, and data files.

## Prevention

### Kubernetes

Disable automatic service account token mounting when API access is not needed

Enable read-only root filesystem and use emptyDir volumes for writable paths

## Warning Signs

- [MEDIUM] Container allows writes to the root filesystem.
- [MEDIUM] containers that allow writes to the root filesystem
- [LOW] Service account token is automatically mounted into the pod.
- [LOW] pods with service account token auto-mounting enabled

## Consequences

- 애플리케이션 데이터 읽기
- 애플리케이션 데이터 수정
- 승인되지 않은 코드 실행

## Mitigations

- 최소 권한 원칙을 따르세요
- 모든 중요한 리소스의 권한을 신중하게 관리하세요
- 적절한 파일 모드와 ACL을 사용하세요

## Detection

- Total rules: 2
- Languages: yaml

## Rules by Language

### Yaml (2 rules)

- **Service Account Token Auto-Mounted** [LOW]: Detects pods with service account token auto-mounting enabled.
  - Remediation: Disable auto-mounting if not needed.

```yaml
spec:
  automountServiceAccountToken: false
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/automount-service-account
- **Writable Root Filesystem** [MEDIUM]: Detects containers that allow writes to the root filesystem.
  - Remediation: Enable read-only root filesystem.

```yaml
securityContext:
  readOnlyRootFilesystem: true
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-732/writable-root-filesystem