Received: from ncopa-desktop.lan (ti0056a400-2304.bb.online.no [85.167.212.10])
	(Authenticated sender: ncopa@alpinelinux.org)
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPSA id 0B0097811E9;
	Tue, 21 Jun 2022 10:17:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org;
	s=smtp; t=1655806666;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=MXT8s+eo+0/4CpVK3XifBjSobrIRalatj0JTbQ1+RTQ=;
	b=P9rBTjVbNW/1T6N3VyTBrgCE7WI1W/o65siTtZBslIMfM9e62qGoXouyJT1En1nGEdr7XZ
	5RIVMxTtSknCxV6lk9tcAXC+BE5r5zN5VtLSLL6p2PW9OXp5urRleIx+3J0dZULDfomXte
	Urn/Xc9TBHt1wQiW+Z+xGKTbAz+alXM=
Date: Tue, 21 Jun 2022 12:17:44 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Markus Kolb <alpinelinux+develml@tower-net.de>
Cc: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package
 installations
Message-ID: <20220621121744.01de0b33@ncopa-desktop.lan>
In-Reply-To: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
X-Mailer: Claws Mail 4.1.0 (GTK 3.24.34; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 18 Jun 2022 12:00:38 +0200
Markus Kolb <alpinelinux+develml@tower-net.de> wrote:

> Hello,
> 
> I'm trying to maintain 2 packages I'm using with Alpine and would not 
> like to see being removed from the repositories from future releases.
> But I could see that there is some basic problem.
> Currently you are unlocking users in pre-install of packages without any 
> further checks of the existing system environment.

Where are users unlocked in pre-install?

...

> There is the possibility to allow an unintended (remote) login or local 
> privilege expansion by unlocking users in apk-executed scripts.

Can you please explain with an example how that would work?

I as an admin create a user called 'foo' and then a package with a
service tries to create the same user 'foo'? Using adduser? or using
passwd?

> And there is no sensitivity for this problem, because it is the 
> recommended way of providing packages. (Quote: "see the <...apk> 
> .pre-install, which is how all of them are done").
> 
> I'm negatively surprised how careless the basic system permissions are 
> used.
> 
> Are you aware of this situation in Alpine and happy with it?

Apparently I was not aware of the severity of the situation. no.

Can you please give me an example of how this could be exploited by an
attacker?

> Markus