alpine 3.6
access weakness #465

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

ccache/src/ccache-3.3.4/test/test_conf.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	CHECK(!conf->compression);
	CHECK_INT_EQ(6, conf->compression_level);
	CHECK_STR_EQ("", conf->cpp_extension);
	CHECK(conf->direct_mode);
	CHECK(!conf->disable);
	CHECK_STR_EQ("", conf->extra_files_to_hash);
	CHECK(!conf->hard_link);
	CHECK(conf->hash_dir);
	CHECK_STR_EQ("", conf->ignore_headers_in_manifest);
	CHECK(!conf->keep_comments_cpp);
	CHECK_FLOAT_EQ(0.8f, conf->limit_multiple);
	CHECK_STR_EQ("", conf->log_file);
	CHECK_INT_EQ(0, conf->max_files);
	CHECK_INT_EQ((uint64_t)5 * 1000 * 1000 * 1000, conf->max_size);
	CHECK_STR_EQ("", conf->path);
	CHECK_STR_EQ("", conf->prefix_command);
	CHECK_STR_EQ("", conf->prefix_command_cpp);
	CHECK(!conf->read_only);
	CHECK(!conf->read_only_direct);
	CHECK(!conf->recache);
	CHECK(conf->run_second_cpp);
	CHECK_INT_EQ(0, conf->sloppiness);
	CHECK(conf->stats);
	CHECK_STR_EQ("", conf->temporary_dir);
	CHECK_INT_EQ(UINT_MAX, conf->umask);
	CHECK(!conf->unify);
	conf_free(conf);
}

TEST(conf_read_valid_config)
{
	struct conf *conf = conf_create();
	char *errmsg, *user;
	putenv("USER=rabbit");
	user = getenv("USER");
	CHECK_STR_EQ("rabbit", user);
	create_file(
	  "ccache.conf",
#ifndef _WIN32
	  "base_dir =  /$ USER/foo/$ {USER} \n"
#else
	  "base_dir = C:/$ USER/foo/$ {USER}\n"
#endif
	  "cache_dir=\n"
	  "cache_dir = $ USER$ /$ {USER}/.ccache\n"
	  "\n"
	  "\n"
	  "  #A comment\n"
	  " cache_dir_levels = 4\n"
	  "\t compiler = foo\n" 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.