Mail archive
alpine-devel

Re: [alpine-devel] Build security - run as root, drop privileges during compile

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Mon, 24 Sep 2018 14:24:05 +0200

Hi,

Yes, I think you are right. The current approach is hackish and could
been done better.

Changing this will require some refactoring of aports-build too, which
would need to run as root and drop privileges for all everything except
calling abuild.

We have been talking about refactor the building infra for a while and
this is one of the things I'd like to fix.

Not sure when I'll get to that though.

We can probably fix abuild to not bail out if you run it as root and
make it drop privileges instead, and deal with the build server scripts
later.

Thanks!

-nc

On Sun, 23 Sep 2018 19:50:43 +0200
Michael Wyraz <michael_at_wyraz.de> wrote:

> Hello devs,
>
> the current abuild refuses to run as root and requires a user in the
> "abuild" group to run builds "for security reasons". IMO this does not
> improve security and probably should be done exactly the other way
> round: Run abuild as root and drop privileges at any place where
> untrusted code is executed.
>
> APK builds usually run as unprivileged user which is in the "abuild"
> group. Abuild allows to specify a lot of things in the APKBUILD file
> that requires root privileges (e.g. installing of packages, creation of
> system users and groups). To allow this for the unprivileged abuild
> user, a SUID executable "abuild-sudo" is provided which is a sudo
> wrapper for several system tools (e.g. abuild-apk which wraps apk).
> Since the compiling step also runs as that user, it has full access to
> the SUIDed executables which is basically the same as granting full
> system access.
>
> Example: If a Makefile (which is run in the abuild context) downloads an
> arbitrary APK and installs it via "abuild-apk --allow-untrusted", the
> packages post install scripts are executed as root.
>
> To improve build security and hardening build systems against malicious
> compiling steps, abouid should perform tasks like installing of packages
> and adding system users and groups as root and drop all privileges
> during execution of the compiling steps (e.g. by su-ing to an
> unprivileged user that has _no_ access to the SUID abuild applications).
>
> Kind regards,
>
> Michael.
>
>
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Mon Sep 24 2018 - 14:24:05 GMT