alpine 3.6
access weakness #165

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

quagga/src/quagga-1.2.4/tests/test-privs.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

     fprintf (stderr, "Try '%s --help' for more information.\n", progname);
  else
    {    
      printf ("Usage : %s [OPTION...]\n\
Daemon which does 'slow' things.\n\n\
-u, --user         User to run as\n\
-g, --group        Group to run as\n\
-h, --help         Display this help and exit\n\
\n\
Report bugs to %s\n", progname, ZEBRA_BUG_ADDRESS);
    }
  exit (status);
}

struct thread_master *master;
/* main routine. */
int
main (int argc, char **argv)
{
  char *p;
  char *progname;
  struct zprivs_ids_t ids;
  
  /* Set umask before anything for security */
  umask (0027);

  /* get program name */
  progname = ((p = strrchr (argv[0], '/')) ? ++p : argv[0]);

  while (1) 
    {
      int opt;

      opt = getopt_long (argc, argv, "hu:g:", longopts, 0);
    
      if (opt == EOF)
	break;

      switch (opt) 
	{
	case 0:
	  break;
        case 'u':
          test_privs.user = optarg;
          break;
        case 'g':
          test_privs.group = optarg;
          break;
	case 'h':
	  usage (progname, 0); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.