alpine 3.6
access weakness #352

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

multipath-tools/src/multipath-tools-be1191b/multipathd/main.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	extern int optind;
	int arg;
	int err;
	int foreground = 0;
	struct config *conf;

	ANNOTATE_BENIGN_RACE_SIZED(&multipath_conf, sizeof(multipath_conf),
				   "Manipulated through RCU");
	ANNOTATE_BENIGN_RACE_SIZED(&running_state, sizeof(running_state),
		"Suppress complaints about unprotected running_state reads");
	ANNOTATE_BENIGN_RACE_SIZED(&uxsock_timeout, sizeof(uxsock_timeout),
		"Suppress complaints about this scalar variable");

	logsink = 1;

	if (getuid() != 0) {
		fprintf(stderr, "need to be root\n");
		exit(1);
	}

	/* make sure we don't lock any path */
	if (chdir("/") < 0)
		fprintf(stderr, "can't chdir to root directory : %s\n",
			strerror(errno));
	umask(umask(077) | 022);

	pthread_cond_init_mono(&config_cond);

	udev = udev_new();

	while ((arg = getopt(argc, argv, ":dsv:k::Bn")) != EOF ) {
		switch(arg) {
		case 'd':
			foreground = 1;
			if (logsink > 0)
				logsink = 0;
			//debug=1; /* ### comment me out ### */
			break;
		case 'v':
			if (sizeof(optarg) > sizeof(char *) ||
			    !isdigit(optarg[0]))
				exit(1);

			verbosity = atoi(optarg);
			break;
		case 's':
			logsink = -1;
			break;
		case 'k':
			conf = load_config(DEFAULT_CONFIGFILE); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.