Metadata

ID: bash-security/mkdir-mode-applies-to-deepest-only

Language: Bash

Severity: Warning

Category: Security

CWE: 732

Related CWEs:

• 276
• 281
• 766

Description

mkdir -p -m 700 /a/b/c sets mode 700 on c but leaves /a and /a/b with default umask permissions if those intermediate directories are created in the same invocation. Fresh intermediates can have unintended permissions.

When permissions must apply to every created segment, set modes explicitly: chmod each path, call mkdir per level, or create parents first with the desired mode.

Non-Compliant Code Examples

#!/bin/bash
mkdir -p -m 700 a/b
mkdir --parents --mode=700 x/y/z
mkdir -pm755 dir/sub
mkdir -m 0700 -p first/second
/usr/bin/mkdir -p -m 700 /tmp/nested/deep

Compliant Code Examples

#!/bin/bash
mkdir a
mkdir -p a/b/c
mkdir -p /tmp/dir
mkdir -m 700 d
mkdir -p -m 700 single
mkdir -pm700 onedir
mkdir --parents --mode=755 onlyone
mkdir -p -m 700 /var
mkdir -p -m 700 ./here
/usr/bin/mkdir -p -m 700 ./x

Seamless integrations. Try Datadog Code Security

Datadog Code Security