alpine 3.9
misc weakness #447

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin.

File Name:

cvs/src/cvs-1.11.23/os2/pwd.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 misc weakness.

 struct passwd
{
  /*	...		*/
  /*    missing stuff	*/
  /*	...		*/
  char *pw_name;		/* login user id		*/
  char *pw_dir;			/* home directory		*/
  char *pw_shell;		/* login shell			*/
  int  pw_uid;
};

struct group
{
  /*	...		*/
  /*    missing stuff	*/
  /*	...		*/
  char *gr_name;		/* login user id		*/
  int  gr_gid;
};

extern struct passwd *getpwuid (int);
extern struct passwd *getpwnam (char *);
extern struct group *getgrgid (int);
extern struct group *getgrnam (char *);
extern char *getlogin (void);
extern char *getgr_name (void);
extern int getuid (void);
extern int getgid (void);
extern int geteuid (void);
extern int getegid (void);

extern int *groups;
extern int ngroups;
extern int getgroups (int, int *);

extern struct passwd *getpwent (void);
extern void setpwent (void);
extern void endpwent (void);
extern void endgrent (void);

/*
 * Local Variables:
 * mode:C
 * ChangeLog:ChangeLog
 * compile-command:make
 * End:
 */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.