alpine 3.6
access weakness #422

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

lua-posix/src/luaposix-release-v33.4.0/ext/posix/sys/stat.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 static int
Pstat(lua_State *L)
{
	struct stat s;
	const char *path = luaL_checkstring(L, 1);
	checknargs(L, 1);
	if (stat(path, &s) == -1)
		return pusherror(L, path);
	return pushstat(L, &s);
}


/***
Set file mode creation mask.
@function umask
@int[opt] mode new file creation mask
@treturn int previous umask
@see umask(2)
@see posix.umask
*/
static int
Pumask(lua_State *L)
{
	checknargs(L, 1);
	return pushintresult(umask((mode_t) checkint(L, 1)));
}


static const luaL_Reg posix_sys_stat_fns[] =
{
	LPOSIX_FUNC( PS_ISBLK		),
	LPOSIX_FUNC( PS_ISCHR		),
	LPOSIX_FUNC( PS_ISDIR		),
	LPOSIX_FUNC( PS_ISFIFO		),
	LPOSIX_FUNC( PS_ISLNK		),
	LPOSIX_FUNC( PS_ISREG		),
	LPOSIX_FUNC( PS_ISSOCK		),
	LPOSIX_FUNC( Pchmod		),
	LPOSIX_FUNC( Plstat		),
	LPOSIX_FUNC( Pmkdir		),
	LPOSIX_FUNC( Pmkfifo		),
	LPOSIX_FUNC( Pstat		),
	LPOSIX_FUNC( Pumask		),
	{NULL, NULL}
};


/***
Constants.
@section constants 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.