alpine 3.6
access weakness #305

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

gradm/src/gradm/gradm_func.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 void insert_nested_acl_subject(struct proc_acl *subject);

const char *gr_get_user_name(uid_t uid);
const char *gr_get_group_name(gid_t gid);

void output_role_info(struct gr_learn_group_node *group, struct gr_learn_user_node *user, FILE *stream);
void output_learn_header(FILE *stream);

int display_leaf(struct gr_learn_file_node *node, const void *unused1, FILE *stream);

void insert_learn_id_transition(unsigned int ***list, int real, int eff, int fs);
void add_to_string_array(char ***array, const char *str);
void parse_learn_config(void);

void check_pam_auth(const unsigned char *rolename);

void add_replace_string(const char *name, char *replacewith);
char *lookup_replace_string(const char *name);
char *process_string_replace(const char *str);

void sort_file_node_list(struct gr_learn_file_node *root);

void add_sock_family(struct proc_acl *subject, const char *family);
const char *get_sock_family_from_val(int val);
void set_role_umask(struct role_acl *role, u_int16_t umask);

char *get_anchor(const char *filename);
int anchorcmp(const char *path1, const char *path2);

char *strip_trailing_slash(char *filename);
int get_canonical_inodev(const char *name, u_int64_t *ino, u_int32_t *dev, int *is_symlink);

void init_res_table(void);
int bikeshedding_detected(void);
char *get_bikeshedded_path(const char *path);

#ifdef GRADM_DEBUG
void check_file_node_list_integrity(struct gr_learn_file_node **filelist);
void check_conformity_with_learned_rules(struct gr_learn_file_node *subject);
void check_high_protected_path_enforcement(struct gr_learn_file_node *subject);
#endif

#endif 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.