alpine 3.6
access weakness #359


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

      else if (S_ISDIR (sb.st_mode) == 0)
          builtin_error ("'%s': file exists but is not a directory", npath);
          umask (original_umask);
          free (npath);
          return 1;

      *p++ = '/';	/* restore slash */
      while (*p == '/')

  /* Create the final directory component. */
  if (stat (npath, &sb) && mkdir (npath, nmode))
      builtin_error ("cannot create directory '%s': %s", npath, strerror (errno));
      umask (original_umask);
      free (npath);
      return 1;

  umask (original_umask);
  free (npath);
  return 0;

char *mkdir_doc[] = {
	"Create directories.",
	"Make directories.  Create the directories named as arguments, in",
	"the order specified, using mode rwxrwxrwx as modified by the current",
	"umask (see 'help umask').  The -m option causes the file permission",
	"bits of the final directory to be MODE.  The MODE argument may be",
	"an octal number or a symbolic mode like that used by chmod(1).  If",
	"a symbolic mode is used, the operations are interpreted relative to",
	"an initial mode of \"a=rwx\".  The -p option causes any required",
	"intermediate directories in PATH to be created.  The directories",
	"are created with permssion bits of rwxrwxrwx as modified by the current",
	"umask, plus write and search permissions for the owner.  mkdir",
	"returns 0 if the directories are created successfully, and non-zero",
	"if an error occurs.",
	(char *)NULL

struct builtin mkdir_struct = {

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.