In file: hosts.py in class DaemonizedProcess method run() sets umask value to 0 that grants full permission to all users except the owner and the member of the groups instead of setting the value to default value of the system. When permissions settings for a resource are configured to provide access to a broader spectrum of individuals or entities than is truly essential, it opens the possibility of sensitive data being exposed or the resource being altered by unintended or unauthorized parties. This underscores the significance of implementing precise and tailored permissions to uphold data security and resource integrity. More information is available in: https://cwe.mitre.org/data/definitions/732.html
Proposed Fix
Instead of using os.umask(0) which can be dangerous, use the system's default umask value
- os.umask(0)
+ os.umask(os.umask(0))
Issue Type
Bug fix pull request
Component Name
/src/sos/hosts.py
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
What is wrong?
In file: hosts.py in class
DaemonizedProcessmethodrun()sets umask value to0that grants full permission to all users except the owner and the member of the groups instead of setting the value to default value of the system. When permissions settings for a resource are configured to provide access to a broader spectrum of individuals or entities than is truly essential, it opens the possibility of sensitive data being exposed or the resource being altered by unintended or unauthorized parties. This underscores the significance of implementing precise and tailored permissions to uphold data security and resource integrity. More information is available in: https://cwe.mitre.org/data/definitions/732.htmlProposed Fix
Instead of using
os.umask(0)which can be dangerous, use the system's default umask valueIssue Type
Component Name
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.