centos 7
access weakness #28


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Centos 7 access weakness.

                                     const char *username, /* fully-qualified */
                                    uid_t uid,
                                    gid_t gid)
    TALLOC_CTX *tmp_ctx;
    char *shortname;
    char *domain;
    char *domain_dir;
    errno_t ret;
    mode_t old_umask;

    tmp_ctx = talloc_new(NULL);
    if (tmp_ctx == NULL) {
        return ENOMEM;

    ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, &domain);
    if (ret != EOK) {
              "sss_parse_internal_fqname() failed [%d]: %s\n",
              ret, sss_strerror(ret));
        goto done;

    old_umask = umask(0026);
    ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751,
                         getuid(), getgid());
    if (ret != EOK) {
              "Failed to create the directory \"%s/%s\" that would be used to "
              "store the Desktop Profile rules users' directory [%d]: %s\n",
              IPA_DESKPROFILE_RULES_USER_DIR, domain,
              ret, sss_strerror(ret));
        goto done;

    domain_dir = talloc_asprintf(tmp_ctx, IPA_DESKPROFILE_RULES_USER_DIR"/%s",
    if (domain_dir == NULL) {
        ret = ENOMEM;
        goto done;

    /* In order to read, create and traverse the directory, we need to have its
     * permissions set as 'rwx------' (700). */
    old_umask = umask(0077);
    ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
    if (ret != EOK) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.