alpine 3.6
access weakness #260

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

s6/src/s6-2.5.1.0/src/libs6/ftrig1_make.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 static inline void surfname (char *s, size_t n)
{
  static char const oklist[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZghijklmnopqrstuvwxyz-_0123456789abcdef" ;
  surf(&surf_ctx, s, n) ;
  while (n--) s[n] = oklist[s[n] & 63] ;
}

int ftrig1_make (ftrig1_t *f, char const *path)
{
  ftrig1_t ff = FTRIG1_ZERO ;
  size_t pathlen = strlen(path) ;
  int e = 0 ;
  char tmp[pathlen + 46 + FTRIG1_PREFIXLEN] ;
  
  memcpy(tmp, path, pathlen) ;
  tmp[pathlen] = '/' ; tmp[pathlen+1] = '.' ;
  memcpy(tmp + pathlen + 2, FTRIG1_PREFIX, FTRIG1_PREFIXLEN) ;
  tmp[pathlen + 2 + FTRIG1_PREFIXLEN] = ':' ;
  if (!timestamp(tmp + pathlen + 3 + FTRIG1_PREFIXLEN)) return 0 ;
  tmp[pathlen + 28 + FTRIG1_PREFIXLEN] = ':' ;
  surfname(tmp + pathlen + 29 + FTRIG1_PREFIXLEN, 16) ;
  tmp[pathlen + 45 + FTRIG1_PREFIXLEN] = 0 ;
  
  {
    mode_t m = umask(0) ;
    if (mkfifo(tmp, S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH) == -1)
    {
      umask(m) ;
      return 0 ;
    }
    umask(m) ;
  }

  if (!stralloc_catb(&ff.name, tmp, pathlen+1)) { e = errno ; goto err0 ; }
  if (!stralloc_catb(&ff.name, tmp + pathlen + 2, FTRIG1_PREFIXLEN + 44))
  {
    e = errno ; goto err1 ;
  }
  ff.fd = open_read(tmp) ;
  if (ff.fd == -1) { e = errno ; goto err1 ; }
  ff.fdw = open_write(tmp) ;
  if (ff.fdw == -1) { e = errno ; goto err2 ; }
  if (rename(tmp, ff.name.s) == -1) goto err3 ;
  *f = ff ;
  return 1 ;

 err3:
  e = errno ;
  fd_close(ff.fdw) ;
 err2: 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.