alpine 3.6
access weakness #268


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.


static int issetugid() {
	return (geteuid() != getuid() || getegid() != getgid());

#if defined(HAVE_IPV6) && defined(HAVE_INET_PTON)
# define USE_IPV6

#ifdef USE_IPV6
#define PACKAGE_FEATURES " (ipv6)"

#define PACKAGE_DESC "spawn-fcgi v" PACKAGE_VERSION PACKAGE_FEATURES " - spawns FastCGI processes\n"

#define CONST_STR_LEN(s) s, sizeof(s) - 1

static mode_t read_umask(void) {
	mode_t mask = umask(0);
	return mask;

static ssize_t write_all(int fildes, const void *buf, size_t nbyte) {
	size_t rem;
	for (rem = nbyte; rem > 0;) {
		ssize_t res = write(fildes, buf, rem);
		if (-1 == res) {
			if (EINTR != errno) return res;
		} else {
			buf = res + (char const*) buf;
			rem -= res;
	return nbyte;

static int bind_socket(const char *addr, unsigned short port, const char *unixsocket, uid_t uid, gid_t gid, mode_t mode, int backlog) {
	int fcgi_fd, socket_type, val;

	struct sockaddr_un fcgi_addr_un;
	struct sockaddr_in fcgi_addr_in;
#ifdef USE_IPV6
	struct sockaddr_in6 fcgi_addr_in6;

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.