Received: from ncopa-desktop.lan (ti0056a400-2304.bb.online.no [85.167.212.10])
	(Authenticated sender: ncopa@alpinelinux.org)
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPSA id C50DB78133B;
	Thu, 23 Jun 2022 06:17:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org;
	s=smtp; t=1655965032;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=DvEgoFtNEtUbkIrdgbWyoFW+JKewh+HPJAsIqpO7N4c=;
	b=abO2SsOLqzqhgwTOMbg2T7pESK19rV9v9odkOqXPlG3jGofXH+c5yaQ79l1kYJ5XDLm1mX
	UWkjzDg3LQmdeNbl3m7zo+9iC1AD8m3WONmZdEGSesUGwuYKx9I1uOK7S5jWtoYItbucQF
	02sYZz5lk/frM1Wjhhvwy+3NRqvyiRU=
Date: Thu, 23 Jun 2022 08:17:09 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Paul Zillmann <p.zillmann@h6g.de>
Cc: Markus Kolb <alpinelinux+develml@tower-net.de>, Alpine Linux devel ML
 <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package
 installations
Message-ID: <20220623081709.1958575c@ncopa-desktop.lan>
In-Reply-To: <5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
	<5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de>
X-Mailer: Claws Mail 4.1.0 (GTK 3.24.34; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 22 Jun 2022 14:14:59 +0200
Paul Zillmann <p.zillmann@h6g.de> wrote:

> Hello Markus,
> 
> I've read thru the entire conversation - the problem you are drawing 
> isn't one.
> 
> 1. The passwd calls have an adduser call right above them, creating a 
> system user with that name.
> That fails if the user already exists and would return a non-zero return 
> code. Thereby the package installation fails.

That is actually not true.
Here is the gogs.pre-install

  1 #!/bin/sh
  2 
  3 addgroup -S -g 82 www-data 2>/dev/null
  4 adduser -S -D -h /var/lib/gogs -s /bin/ash -G www-data -g gogs gogs 2>/dev/null
  5 passwd -u gogs 2>/dev/null
  6 
  7 exit 0

If user already exist, the line 4 adduser will fail, however script
will continue and also do the passwd on line 5.

Line 7 makes sure that script always exists with success, and the
pre-install will never result in a package installation failure.

I believe this should be fixed to:

diff --git a/community/gogs/gogs.pre-install b/community/gogs/gogs.pre-install
index ea77703d1e..80d9ac0763 100644
--- a/community/gogs/gogs.pre-install
+++ b/community/gogs/gogs.pre-install
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 addgroup -S -g 82 www-data 2>/dev/null
-adduser -S -D -h /var/lib/gogs -s /bin/ash -G www-data -g gogs gogs 2>/dev/null
-passwd -u gogs 2>/dev/null
+adduser -S -D -h /var/lib/gogs -s /bin/ash -G www-data -g gogs gogs 2>/dev/null \
+       && passwd -u gogs 2>/dev/null
 
 exit 0

That way the user is only unlocked at first install. If admin
afterwards locks the user (and intentionally break gogs'
functionality), it will continue that way on future upgrades.

I was about to ping the gogs package maintainer, but seems like nobody
wants maintain it. I guess I just go ahead and fix this.


-nc