CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-560: Use of umask() with chmod-style Argument

Weakness ID: 560
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Access Control

Technical Impact: Read files or directories; Modify files or directories; Bypass protection mechanism

+ Potential Mitigations

Phase: Implementation

Use umask() with the correct argument.

Phase: Testing

If you suspect misuse of umask(), you can use grep to spot call instances of umask().

+ Other Notes

The umask() man page begins with the false statement: "umask sets the umask to mask & 0777" Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The umask() man page goes on to describe the correct usage of umask(): "The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666)."

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory559Often Misused: Arguments and Parameters
Development Concepts (primary)699
ChildOfWeakness VariantWeakness Variant687Function Call With Incorrectly Specified Argument Value
Research Concepts (primary)1000
ChildOfCategoryCategory946SFP Secondary Cluster: Insecure Resource Permissions
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Often Misused: umask()

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017