centos 7
access weakness #23

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

slang-2.2.4/src/slposdir.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 access weakness.

 	if (-1 == SLang_pop_slstring (&sopt))
	  return;
      case 1:
	if (-1 == SLang_pop_slstring (&s))
	  {
	     SLang_free_slstring (sopt);
	     return;
	  }
	break;
      default:
	_pSLang_verror (SL_INVALID_PARM, "usage: listdir (string, [opt-string]");
	return;
     }

   listdir_cmd (s, sopt);
   SLang_free_slstring (s);
   SLang_free_slstring (sopt);
}

#endif				       /* USE_LISTDIR_INTRINSIC */

#ifdef HAVE_UMASK
static int umask_cmd (int *u)
{
   return umask (*u);
}
#endif

#if defined(R_OK) && defined(W_OK) && defined(X_OK) && defined (F_OK)
# define HAS_ACCESS_CMD 1
#else
# define HAS_ACCESS_CMD 0
#endif

#if HAS_ACCESS_CMD
static int access_cmd (char *path, int *modep)
{
   int mode = *modep & (R_OK|W_OK|X_OK|F_OK);

   while (-1 == access (path, mode))
     {
	if (is_interrupt (errno))
	  continue;

	_pSLerrno_errno = errno;
	return -1;
     }
   return 0;
}
#endif 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.