alpine 3.6
access weakness #340

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

gradm/src/gradm/gradm_parse.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

  * Copyright (C) 2002-2015 Bradley Spengler, Open Source Security, Inc.
 *        http://www.grsecurity.net spender@grsecurity.net
 *
 * This file is part of gradm.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 */

#include "gradm.h"

extern FILE *gradmin;
extern int gradmparse(void);

void set_role_umask(struct role_acl *role, u_int16_t umask)
{
	role->umask = umask;
}

char *strip_trailing_slash(char *filename)
{
	unsigned int file_len = strlen(filename);
	if (file_len > 1 && filename[file_len - 1] == '/')
		filename[file_len - 1] = '\0';

	if (file_len >= PATH_MAX) {
		fprintf(stderr, "Filename too long on line %lu of file %s.\n",
			lineno, current_acl_file);
		exit(EXIT_FAILURE);
	}

	return filename;
}

static int get_id_from_role_name(const char *rolename, u_int16_t type, int *retid)
{
	unsigned long the_id = 0;
	struct passwd *pwd;
	struct group *grp;
	char *endptr; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.