Received: from cloud03.net4visions.de (cloud03.net4visions.de [168.119.227.151])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id BD470780FF0
	for <~alpine/devel@lists.alpinelinux.org>; Sat, 18 Jun 2022 10:00:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tower-net.de; h=
	content-transfer-encoding:content-type:content-type:message-id
	:subject:subject:from:from:date:date:mime-version; s=20201123;
	 t=1655546439; bh=ZX6RidZbaLK69u7h7FzwQCOnJaLWYk6ZqlzlwV91zjQ=; b=
	VGVBbFLk+Jm4GLTY2RNqJ85z5qASC9VF2eAHk5KqNj57qIqLDVKW0VbjLbz7knZV
	ZpDHoeAdyIstgvyGSW7UBGSQ2aBcVp1DDnKIe+4IQ+zjrhiNvFYMjP9u8sz+s1lA
	3O8op6PzJtgK84oFMUHt0u59X4Qpv6ANmp2I3fwFbEmONQ2DCKh5bawRLrcbkZ2P
	CC/Od2DTpdD4wcIsjhumQvzLib9CBDXtIlBqax/cYh315n05aXE7CvQZNYvHas/P
	4qkveBATJrCPxemH1nCHuO0rRZQ0VZtz6TSQh1Yj3YiptIOAKiksyfzSxeB5hLij
	bT1R/yjPCOaC+9iDb6Nkx4YOxiycPtsCEtsmfEJNPXKEH/BWT8nHJIi5+fnMBxG1
	SL0v6CLmx1ZHIlSxVdDYCe7ghwxbOTfGLckLGfN2P5SBpgoXE/uaI8gUGAlM4iDk
	RTzWmcPO+BHuTDtN4olhU4j/Su0iqb3s6nSmwkla1mFLue+cC4m+F/PVhJia4Oin
MIME-Version: 1.0
Date: Sat, 18 Jun 2022 12:00:38 +0200
From: Markus Kolb <alpinelinux+develml@tower-net.de>
To: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Security problem in how you manage users in package installations
Message-ID: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
X-Sender: alpinelinux+develml@tower-net.de
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit

Hello,

I'm trying to maintain 2 packages I'm using with Alpine and would not 
like to see being removed from the repositories from future releases.
But I could see that there is some basic problem.
Currently you are unlocking users in pre-install of packages without any 
further checks of the existing system environment.
There is assumed the user is not existing, there is no username clash, 
the user has not set a password, the user is used only for this package 
and so on.
In short... this is a no-go to circumvent any administrative security 
related restrictions by package installations.
There is the possibility to allow an unintended (remote) login or local 
privilege expansion by unlocking users in apk-executed scripts.
And there is no sensitivity for this problem, because it is the 
recommended way of providing packages. (Quote: "see the <...apk> 
.pre-install, which is how all of them are done").

I'm negatively surprised how careless the basic system permissions are 
used.

Are you aware of this situation in Alpine and happy with it?

Markus