Ensure that default and mapped POSIX permissions on the shared file system do not grant broader access than required by the workload.
Storage / File Storage / Controls / DEV
Enforce Least-Privilege POSIX File Permissions
CCC.FileStor.CN02 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CP04 | POSIX File Semantics | The service always exposes standard POSIX file and directory operations, including permissions and ownership metadata, with concurrent multi-client access to the same file system. |
| CCC.Core.CP06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.TH02 | POSIX Permissions Grant Unintended Shared Access | Default file and directory permissions, identity mapping, or access control lists on the shared file system may be configured with broader scope than required for the workload. Users or processes on authorized mount clients can read or modify files outside their intended scope. This impacts confidentiality and integrity of file content stored on the shared file system. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.FileStor.CN02.AR01 | When default file or directory permissions are applied on the shared file system, the service MUST NOT grant world-readable or world-writable access unless explicitly configured for a documented exception. | tlp-amber, tlp-red |
| CCC.FileStor.CN02.AR02 | When client identity mapping is configured for NFS access, the service MUST map connecting clients to POSIX user and group identifiers that enforce least-privilege access. | tlp-clear, tlp-green, tlp-amber, tlp-red |