alpine 3.6
access weakness #400

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

oprofile/src/oprofile-0.9.9/gui/oprof_start_config.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 /**
 * @file oprof_start_config.h
 * GUI startup config management
 *
 * @remark Copyright 2002 OProfile authors
 * @remark Read the file COPYING
 *
 * @author John Levon
 * @author Philippe Elie
 */

#ifndef OPROF_START_CONFIG_H
#define OPROF_START_CONFIG_H

#include <sys/types.h>
#include <string>
#include <iosfwd>

/// Store the setup of one event
struct event_setting {

	event_setting();

	uint count;
	uint umask;
	bool os_ring_count;
	bool user_ring_count;
};

/**
 * Store the general  configuration of the profiler.
 * There is no save(), instead opcontrol --setup must be
 * called. This uses opcontrol's daemonrc file.
 */
struct config_setting {
	config_setting();

	void load(std::istream & in);

	uint buffer_size;
	uint note_table_size;
	std::string kernel_filename;
	bool no_kernel;
	bool verbose;
	bool separate_lib;
	bool separate_kernel;
	bool separate_cpu;
	bool separate_thread;
	uint callgraph_depth;
	uint buffer_watershed; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.