X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 6B09BDC0181 for ; Mon, 2 Dec 2013 16:04:26 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id DC50E209CF; Mon, 2 Dec 2013 11:04:25 -0500 (EST) Received: from web4 ([10.202.2.214]) by compute4.internal (MEProxy); Mon, 02 Dec 2013 11:04:25 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:cc:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=mLTQzJwrsjdqNBqjj/mwPkK1Ga8=; b=G7q UltSnZ9BNds8HD1tpy0Fvhfjvyx3f8dwADSbxs7WJkJ0Dmsvdthl3/bGH3ptt4IP Q1satI1w3mFnGrqG/tNEHROmaa2Xijlc3QtsgahQfVR1Nvc2hMGFkcvqmi8DndZo kLNnAaDMcXHLdiIvk9u4WQkg62VMuuXorYTkoF+s= Received: by web4.nyi.mail.srv.osa (Postfix, from userid 99) id B46BE161802; Mon, 2 Dec 2013 11:04:25 -0500 (EST) Message-Id: <1386000265.25324.54500989.5FF25FA8@webmail.messagingengine.com> X-Sasl-Enc: msYVnMQVduGMefLXescuhpxlJCyElxywesF0ANiG0w6o 1386000265 From: Jim Pryor To: Natanael Copa Cc: Alpine X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - html In-Reply-To: <20131202142914.4438af81@ncopa-desktop.alpinelinux.org> References: <20131201174554.GB29236@zen> <20131201235659.GD29236@zen> <20131202142914.4438af81@ncopa-desktop.alpinelinux.org> Subject: Re: [alpine-devel] a few abuild oddities Date: Mon, 02 Dec 2013 11:04:25 -0500 On Mon, Dec 2, 2013, at 08:29 AM, Natanael Copa wrote: > One thing we could do to improve the security a bit is to ban the > --allow-untrusted option with the suid abuild-apk. That would allow the > users in abuild group to install signed packages only. Adding the user > to 'abuild' group and the users key to /etc/apk/keys would then be > equivalent as give full root access. I do think this would be a good improvement, if only for people who put users in the abuild group without fully understanding the consequences. In practice, though, anyone who knows what they're doing is going to also put a key in /etc/apk/keys, and then any vulnerabilities in that account will give full root access. Is it possible to use abuild for the full range of activities without being in the abuild group? Do we just prompt with sudo or su in those cases when needed? In that case the security-conscious solution will just be don't add your users to the "abuild" group. The costs and benefits of this would just need to be more clearly documented. -- dubiousjim@gmail.com --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---