alpine 3.6
access weakness #199


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	iRet = createMainQueue(&pMsgQueue, UCHAR_CONSTANT("main Q"),
		    		(mainqCnfObj == NULL) ? NULL : mainqCnfObj->nvlst);
	if(iRet == RS_RET_OK) {
		iRet = startMainQueue(pMsgQueue);
	if(iRet != RS_RET_OK) {
		/* no queue is fatal, we need to give up in that case... */
		fprintf(stderr, "fatal error %d: could not create message queue - rsyslogd can not run!\n", iRet);

	bHaveMainQueue = (ourConf->globals.mainQ.MainMsgQueType == QUEUETYPE_DIRECT) ? 0 : 1;
	DBGPRINTF("Main processing queue is initialized and running\n");

/* set the processes umask (upon configuration request) */
static inline rsRetVal
setUmask(int iUmask)
	if(iUmask != -1) {
		DBGPRINTF("umask set to 0%3.3o.\n", iUmask);

	return RS_RET_OK;

/* Activate an already-loaded configuration. The configuration will become
 * the new running conf (if successful). Note that in theory this method may
 * be called when there already is a running conf. In practice, the current
 * version of rsyslog does not support this. Future versions probably will.
 * Begun 2011-04-20, rgerhards
static rsRetVal
activate(rsconf_t *cnf)

	/* at this point, we "switch" over to the running conf */
	runConf = cnf;
#	if	0 /* currently the DAG is not supported -- code missing! */
	/* TODO: re-enable this functionality some time later! */
	/* check if we need to generate a config DAG and, if so, do that */
	if(ourConf->globals.pszConfDAGFile != NULL)

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.