---
title: Mode flag in mkdir -p applies to deepest directory only
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Mode flag in mkdir -p applies to deepest directory only
---

# Mode flag in mkdir -p applies to deepest directory only

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/mkdir-mode-applies-to-deepest-only`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [732](https://cwe.mitre.org/data/definitions/732.html)

**Related CWEs**:

- [276](https://cwe.mitre.org/data/definitions/276.html)
- [281](https://cwe.mitre.org/data/definitions/281.html)
- [766](https://cwe.mitre.org/data/definitions/766.html)

## Description{% #description %}

`mkdir -p -m 700 /a/b/c` sets mode `700` on `c` but leaves `/a` and `/a/b` with default umask permissions if those intermediate directories are created in the same invocation. Fresh intermediates can have unintended permissions.

When permissions must apply to every created segment, set modes explicitly: `chmod` each path, call `mkdir` per level, or create parents first with the desired mode.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
mkdir -p -m 700 a/b
mkdir --parents --mode=700 x/y/z
mkdir -pm755 dir/sub
mkdir -m 0700 -p first/second
/usr/bin/mkdir -p -m 700 /tmp/nested/deep
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
mkdir a
mkdir -p a/b/c
mkdir -p /tmp/dir
mkdir -m 700 d
mkdir -p -m 700 single
mkdir -pm700 onedir
mkdir --parents --mode=755 onlyone
mkdir -p -m 700 /var
mkdir -p -m 700 ./here
/usr/bin/mkdir -p -m 700 ./x
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}