alpine 3.6
access weakness #334

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

gradm/src/gradm/gradm_defs.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 
	struct role_transition *prev;
	struct role_transition *next;
};

struct role_acl {
	const char *rolename;
	uid_t uidgid;
	u_int16_t roletype;

	u_int16_t auth_attempts;
	unsigned long expires;

	struct proc_acl *root_label;
	struct gr_hash_struct *hash;

	struct role_acl *prev;
	struct role_acl *next;

	struct role_transition *transitions;
	struct role_allowed_ip *allowed_ips;
	uid_t *domain_children;
	u_int16_t domain_child_num;

	u_int16_t  umask;

	struct proc_acl **subj_hash;
	u_int32_t subj_hash_size;
};

struct proc_acl {
	const char *filename;
	u_int64_t inode;
	u_int32_t dev;
	u_int32_t mode;
	gr_cap_t cap_mask;
	gr_cap_t cap_drop;
	gr_cap_t cap_invert_audit;

	struct rlimit res[GR_NLIMITS];
	u_int32_t resmask;

	u_int8_t user_trans_type;
	u_int8_t group_trans_type;
	uid_t *user_transitions;
	gid_t *group_transitions;
	u_int16_t user_trans_num;
	u_int16_t group_trans_num;

	u_int32_t sock_families[2]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.