alpine 3.6
access weakness #163

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

quagga/src/quagga-1.2.4/tests/common-cli.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 int dump_args(struct vty *vty, const char *descr,
              int argc, const char **argv)
{
  int i;
  vty_out (vty, "%s with %d args.%s", descr, argc, VTY_NEWLINE);
  for (i = 0; i < argc; i++)
    {
      vty_out (vty, "[%02d]: %s%s", i, argv[i], VTY_NEWLINE);
    }

  return CMD_SUCCESS;
}

static void vty_do_exit(void)
{
  printf ("\nend.\n");
  exit (0);
}

/* main routine. */
int
main (int argc, char **argv)
{
  /* Set umask before anything for security */
  umask (0027);

  /* master init. */
  master = thread_master_create ();

  zlog_default = openzlog ("common-cli", ZLOG_NONE,
                           LOG_CONS|LOG_NDELAY|LOG_PID, LOG_DAEMON);
  zlog_set_level (NULL, ZLOG_DEST_SYSLOG, ZLOG_DISABLED);
  zlog_set_level (NULL, ZLOG_DEST_STDOUT, ZLOG_DISABLED);
  zlog_set_level (NULL, ZLOG_DEST_MONITOR, LOG_DEBUG);

  /* Library inits. */
  cmd_init (1);
  host.name = strdup ("test");

  vty_init (master);
  memory_init ();

  test_init ();

  vty_stdio (vty_do_exit);

  /* Fetch next active thread. */
  thread_main (master);

  /* Not reached. */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.