alpine 3.6
access weakness #306

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

oidentd/src/oidentd-2.0.8/src/oidentd_util.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 */

int go_background(void) {
	int fd;

	switch (fork()) {
		case -1:
			return (-1);
		case 0:
			break;
		default:
			_exit(0);
	}

	if (setsid() == -1) {
		debug("setsid: %s", strerror(errno));
		return (-1);
	}

	if (chdir("/") != 0) {
		debug("chdir: %s", strerror(errno));
		return (-1);
	}

	umask(DEFAULT_UMASK);

	fd = open("/dev/null", O_RDWR);
	if (fd == -1) {
		debug("open: /dev/null: %s", strerror(errno));
		return (-1);
	}

	dup2(fd, 0);
	dup2(fd, 1);
	dup2(fd, 2);

	return (0);
}

/*
** Same as malloc(3), except exits on failure.
*/

void *xmalloc(size_t size) {
	void *ret = malloc(size);

	if (ret == NULL) {
		debug("Fatal: malloc: %s", strerror(errno));
		exit(-1);
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.