X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id ED95FDC00D0 for ; Sun, 1 Dec 2013 23:57:01 +0000 (UTC) Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 6A8CA20F05 for ; Sun, 1 Dec 2013 18:57:00 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sun, 01 Dec 2013 18:57:00 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:from:to:subject:message-id :references:mime-version:content-type:in-reply-to; s=smtpout; bh=lKNvnn7Xe4HFXVRh7/L8SAzy1xY=; b=KYwlFKEzSNqxb+awIv+5Dwmlb1ov C+RoVhmi0rQ9iU4EWEtVXG5QUDbCbL7NvLUfIUTDt9hsuCD/+/cNdBG/hvN9qou6 1v6pLY1v3dkf56RgQC1VfeHY4Y6B3KsgtDLaS/3XeM29NR3whgooptfc/+jUpDds Sjn5oVO5q4KvMlU= X-Sasl-enc: vePokwGX0WO4WucIbgF3v/kRzRhMhNJ2nkSTMPsAqEw2 1385942220 Received: from localhost (unknown [69.86.161.244]) by mail.messagingengine.com (Postfix) with ESMTPA id 34E376800D7 for ; Sun, 1 Dec 2013 18:57:00 -0500 (EST) Date: Sun, 1 Dec 2013 18:56:59 -0500 From: Dubiousjim To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] a few abuild oddities Message-ID: <20131201235659.GD29236@zen> Mail-Followup-To: alpine-devel@lists.alpinelinux.org References: <20131201174554.GB29236@zen> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20131201174554.GB29236@zen> User-Agent: Mutt/1.5.22 (2013-10-16) On Sun, Dec 01, 2013 at 12:45:54PM -0500, Dubiousjim wrote: > Second, I don't understand how abuild is acquiring sufficient > permissions to do what it seems to be doing in these cases. > > My user belongs to the "abuild" group, but normally isn't able to even > acquire a lock on the apk database, much less add or del packages, > without raising privileges via sudo or su. Also, my /etc/apk/world file > lists as: > > -rw-r--r-- 1 root root 885 Dec 1 11:58 /etc/apk/world > > However, I can be sure that sudo hasn't cached any privileges (sudo -k) > and go into an aports directory and type `abuild -r -i pkg1` (supplying > an appropriate package name), and then WITHOUT EVER ASKING FOR A > PASSWORD, abuild will: > > * download and install the necessary dependencies: I assume it shouldn't > be able to do this without privileges, although possibly the packages > are getting installed in an overlay or some-such ... I know that > didn't use to be the case, but I haven't kept close tabs on how the > code has developed over the past year or so. Even if the packages > weren't really getting installed to /, where the user running abuild > lacks sufficient privileges, still how can abuild update > /etc/apk/world? which one can see it does because the .makedepends-foo > virtual package never gets deleted (see first issue above) > > * if the build completes successfully, then install the relevant local > package, again which it shouldn't be able to do without prompting for > a password > > Perhaps the issue here isn't with abuild, but rather with one or the > other of fakeroot and sudo? I've figured out the answer to this question. The answer is that we have a binary abuild-sudo, which is installed suid, and can be invoked by anyone in the "abuild" group (via the symlinks abuild-apk, abuild-addgroup, and abuild-adduser) to run the corresponding commands as root, without needing any sudo/su authentication. Thus if your user belongs to the "abuild" group, then you can always do all your apk-ing, with full permissions, just by invoking apk as "abuild-apk" instead of just bare "apk". The merits of this design may be debatable, but I'm at least relieved that this *is* by design, and that I can now understand where and why it's happening, and what the limits to this security opening are. -- Dubiousjim dubiousjim@gmail.com --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---