alpine 3.6
access weakness #150


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 * You should have received a copy of the GNU General Public License
 * along with GNU Zebra; see the file COPYING.  If not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.  

#include <zebra.h>
#include <fcntl.h>
#include <log.h>
#include "version.h"

#define PIDFILE_MASK 0644
#ifndef HAVE_FCNTL

pid_output (const char *path)
  FILE *fp;
  pid_t pid;
  mode_t oldumask;

  pid = getpid();

  oldumask = umask(0777 & ~PIDFILE_MASK);
  fp = fopen (path, "w");
  if (fp != NULL) 
      fprintf (fp, "%d\n", (int) pid);
      fclose (fp);
      return pid;
  /* XXX Why do we continue instead of exiting?  This seems incompatible
     with the behavior of the fcntl version below. */
  zlog_warn("Can't fopen pid lock file %s (%s), continuing",
	    path, safe_strerror(errno));
  return -1;

#else /* HAVE_FCNTL */

pid_output (const char *path)
  int tmp;
  int fd;
  pid_t pid;
  char buf[16]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.