alpine 3.6
access weakness #334


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

	struct role_transition *prev;
	struct role_transition *next;

struct role_acl {
	const char *rolename;
	uid_t uidgid;
	u_int16_t roletype;

	u_int16_t auth_attempts;
	unsigned long expires;

	struct proc_acl *root_label;
	struct gr_hash_struct *hash;

	struct role_acl *prev;
	struct role_acl *next;

	struct role_transition *transitions;
	struct role_allowed_ip *allowed_ips;
	uid_t *domain_children;
	u_int16_t domain_child_num;

	u_int16_t  umask;

	struct proc_acl **subj_hash;
	u_int32_t subj_hash_size;

struct proc_acl {
	const char *filename;
	u_int64_t inode;
	u_int32_t dev;
	u_int32_t mode;
	gr_cap_t cap_mask;
	gr_cap_t cap_drop;
	gr_cap_t cap_invert_audit;

	struct rlimit res[GR_NLIMITS];
	u_int32_t resmask;

	u_int8_t user_trans_type;
	u_int8_t group_trans_type;
	uid_t *user_transitions;
	gid_t *group_transitions;
	u_int16_t user_trans_num;
	u_int16_t group_trans_num;

	u_int32_t sock_families[2]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.