alpine 3.6
access weakness #199

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

rsyslog/src/rsyslog-8.26.0/runtime/rsconf.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	iRet = createMainQueue(&pMsgQueue, UCHAR_CONSTANT("main Q"),
		    		(mainqCnfObj == NULL) ? NULL : mainqCnfObj->nvlst);
	if(iRet == RS_RET_OK) {
		iRet = startMainQueue(pMsgQueue);
	}
	if(iRet != RS_RET_OK) {
		/* no queue is fatal, we need to give up in that case... */
		fprintf(stderr, "fatal error %d: could not create message queue - rsyslogd can not run!\n", iRet);
		FINALIZE;
	}

	bHaveMainQueue = (ourConf->globals.mainQ.MainMsgQueType == QUEUETYPE_DIRECT) ? 0 : 1;
	DBGPRINTF("Main processing queue is initialized and running\n");
finalize_it:
	glblDestructMainqCnfObj();
	RETiRet;
}


/* set the processes umask (upon configuration request) */
static inline rsRetVal
setUmask(int iUmask)
{
	if(iUmask != -1) {
		umask(iUmask);
		DBGPRINTF("umask set to 0%3.3o.\n", iUmask);
	}

	return RS_RET_OK;
}


/* Activate an already-loaded configuration. The configuration will become
 * the new running conf (if successful). Note that in theory this method may
 * be called when there already is a running conf. In practice, the current
 * version of rsyslog does not support this. Future versions probably will.
 * Begun 2011-04-20, rgerhards
 */
static rsRetVal
activate(rsconf_t *cnf)
{
	DEFiRet;

	/* at this point, we "switch" over to the running conf */
	runConf = cnf;
#	if	0 /* currently the DAG is not supported -- code missing! */
	/* TODO: re-enable this functionality some time later! */
	/* check if we need to generate a config DAG and, if so, do that */
	if(ourConf->globals.pszConfDAGFile != NULL)
		generateConfigDAG(ourConf->globals.pszConfDAGFile); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.