ByteOS Network

CWE-560:Use of umask() with chmod-style Argument

Weakness ID:560

Version:v4.17

Weakness Name:Use of umask() with chmod-style Argument

Vulnerability Mapping:Allowed

Abstraction:Variant

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed	V	687	Function Call With Incorrectly Specified Argument Value

Nature: ChildOf

Mapping: Allowed

Type: Variant

ID: 687

Name: Function Call With Incorrectly Specified Argument Value

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	946	SFP Secondary Cluster: Insecure Resource Permissions
MemberOf	Prohibited	C	1412	Comprehensive Categorization: Poor Coding Practices

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 946

Name: SFP Secondary Cluster: Insecure Resource Permissions

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1412

Name: Comprehensive Categorization: Poor Coding Practices

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-316	Bypass Protection Mechanism (impact)
MemberOf	Prohibited	BS	BOSS-319	Read Files or Directories (impact)
MemberOf	Prohibited	BS	BOSS-320	Modify Files or Directories (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-316

Name: Bypass Protection Mechanism (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-319

Name: Read Files or Directories (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-320

Name: Modify Files or Directories (impact)

▼Relevant To View

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	946	SFP Secondary Cluster: Insecure Resource Permissions

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 946

Name: SFP Secondary Cluster: Insecure Resource Permissions

▼Common Consequences

Scope	Likelihood	Impact	Note
ConfidentialityIntegrityAccess Control	N/A	Read Files or DirectoriesModify Files or DirectoriesBypass Protection Mechanism	N/A

Scope: Confidentiality, Integrity, Access Control

Likelihood: N/A

Impact: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism

Note:

N/A

▼Potential Mitigations

Phase:Implementation

Description:

Use umask() with the correct argument.

Phase:Testing

Description:

If you suspect misuse of umask(), you can use grep to spot call instances of umask().

▼Modes Of Introduction

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

C(Undetermined Prevalence)

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Notes

Other

Some umask() manual pages begin with the false statement: "umask sets the umask to mask & 0777" Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): "The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666)."