alpine 3.6
access weakness #290

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

mmh/src/mmh-0.3/sbr/makedir.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	*/
	saved_umask = umask(0);

	c = strncpy(path, dir, sizeof(path));

	while (!had_an_error && (c = strchr((c + 1), '/')) != NULL) {
		*c = '\0';
		/* Create an outer directory. */
		if (mkdir(path, folder_perms) == -1 &&
				errno != EEXIST) {
			advise(dir, "unable to create directory");
			had_an_error = 1;
		}
		*c = '/';
	}

	/*
	** Create the innermost nested subdirectory of the
	** path we're being asked to create.
	*/
	if (!had_an_error && mkdir(dir, folder_perms)==-1) {
		advise(dir, "unable to create directory");
		had_an_error = 1;
	}
	umask(saved_umask);  /* put the user's umask back */

	return (had_an_error) ? 0 : 1;
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.