alpine 3.6
access weakness #396

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

oprofile/src/oprofile-0.9.9/daemon/opd_pipe.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 #include "opd_pipe.h"
#include "opd_printf.h"
#include "op_config.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <sys/stat.h>

static int fifo;
static FILE * fifo_fd = NULL;

void opd_create_pipe(void)
{
	mode_t orig_umask = umask(0111);
	if (mkfifo(op_pipe_file, 0666) == -1) {
		if (errno != EEXIST) {
			perror("oprofiled: couldn't create pipe: ");
			exit(EXIT_FAILURE);
		}
	}
	umask(orig_umask);
}


void opd_open_pipe(void)
{
	fifo = open(op_pipe_file, O_RDONLY | O_NONBLOCK);
	if (fifo == -1) {
		perror("oprofiled: couldn't open pipe: ");
		exit(EXIT_FAILURE);
	}
}


void opd_close_pipe(void)
{
	if (fifo_fd)
		fclose(fifo_fd);
	close(fifo);
}


int is_jitconv_requested(void)
{
	/* number of dropped (unknown) requests */
	static long nr_drops = 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.