Ochriso

**Name of the Vulnerable Software and Affected Versions** nfpm (affected versions not specified) **Description** The issue arises when nfpm packages files without maintaining the original file permissions from the source control. This can result in files being packaged with incorrect permissions, such as chmod 666 or 777, if no extra configuration is provided to enforce its own permissions. Anyone using nfpm to create packages without checking or setting file permissions before packaging could end up with files or folders having bad permissions. **Recommendations** To prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package.