Mail archive
alpine-devel

[alpine-devel] Build security - run as root, drop privileges during compile

From: Michael Wyraz <michael_at_wyraz.de>
Date: Sun, 23 Sep 2018 19:50:43 +0200

Hello devs,

the current abuild refuses to run as root and requires a user in the
"abuild" group to run builds "for security reasons". IMO this does not
improve security and probably should be done exactly the other way
round: Run abuild as root and drop privileges at any place where
untrusted code is executed.

APK builds usually run as unprivileged user which is in the "abuild"
group. Abuild allows to specify a lot of things in the APKBUILD file
that requires root privileges (e.g. installing of packages, creation of
system users and groups). To allow this for the unprivileged abuild
user, a SUID executable "abuild-sudo" is provided which is a sudo
wrapper for several system tools (e.g. abuild-apk which wraps apk).
Since the compiling step also runs as that user, it has full access to
the SUIDed executables which is basically the same as granting full
system access.

Example: If a Makefile (which is run in the abuild context) downloads an
arbitrary APK and installs it via "abuild-apk --allow-untrusted", the
packages post install scripts are executed as root.

To improve build security and hardening build systems against malicious
compiling steps, abouid should perform tasks like installing of packages
and adding system users and groups as root and drop all privileges
during execution of the compiling steps (e.g. by su-ing to an
unprivileged user that has _no_ access to the SUID abuild applications).

Kind regards,

Michael.




---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sun Sep 23 2018 - 19:50:43 GMT