centos 7
access weakness #33


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Centos 7 access weakness.

     DEBUG(SSSDBG_TRACE_ALL, "r->size: %zu\n", r->size);
    return EOK;

static int sc_set_seuser(const char *login_name, const char *seuser_name,
                         const char *mls)
    int ret;
    mode_t old_mask;

    /* This is a workaround for
     * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure
     * the directories are created with the expected permissions
    old_mask = umask(0);
    if (strcmp(seuser_name, "") == 0) {
        /* An empty SELinux user should cause SSSD to use the system
         * default. We need to remove the SELinux user from the DB
         * in that case
        ret = sss_del_seuser(login_name);
    } else {
        ret = sss_set_seuser(login_name, seuser_name, mls);
    return ret;

static bool seuser_needs_update(const char *username,
                                const char *seuser,
                                const char *mls_range)
    bool needs_update = true;
    char *db_seuser = NULL;
    char *db_mls_range = NULL;
    errno_t ret;

    ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
          "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
          ret, db_seuser ? db_seuser : "unknown",
          db_mls_range ? db_mls_range : "unknown");
    if (ret == EOK && db_seuser && db_mls_range &&
            strcmp(db_seuser, seuser) == 0 &&
            strcmp(db_mls_range, mls_range) == 0) {
        ret = sss_seuser_exists(username);
        if (ret == EOK) {
            needs_update = false;

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.