rhel 6
access weakness #27


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 access weakness.


void mailbox_log_set_permissions(struct mailbox_log *log, mode_t mode,
				 gid_t gid, const char *gid_origin)
	log->mode = mode;
	log->gid = gid;
	log->gid_origin = i_strdup(gid_origin);

static int mailbox_log_open(struct mailbox_log *log)
	mode_t old_mode;

	i_assert(log->fd == -1);

	log->open_timestamp = ioloop_time;
	log->fd = open(log->filepath, O_RDWR | O_APPEND);
	if (log->fd != -1)
		return 0;

	/* try to create it */
	old_mode = umask(0666 ^ log->mode);
	log->fd = open(log->filepath, O_RDWR | O_APPEND | O_CREAT, 0666);

	if (log->fd == -1) {
		if (errno != EACCES)
			i_error("creat(%s) failed: %m", log->filepath);
			i_error("%s", eacces_error_get("creat", log->filepath));
		return -1;
	if (fchown(log->fd, (uid_t)-1, log->gid) < 0) {
		if (errno != EPERM)
			i_error("fchown(%s) failed: %m", log->filepath);
		else {
			i_error("%s", eperm_error_get_chgrp("fchown",
						log->filepath, log->gid,
	return 0;

static int mailbox_log_rotate_if_needed(struct mailbox_log *log)
	struct stat st; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.