Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A5968781203
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 22 Jun 2022 12:15:01 +0000 (UTC)
Received: by mail-ed1-f44.google.com with SMTP id ej4so19669642edb.7
        for <~alpine/devel@lists.alpinelinux.org>; Wed, 22 Jun 2022 05:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=h6g-de.20210112.gappssmtp.com; s=20210112;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :references:from:in-reply-to:content-transfer-encoding;
        bh=hMIF5iAMHRsStMkWyiQPXt+qLD2MEbFw3tVjULDa9bc=;
        b=CMjwvp2RDH+b07fXABapuOiHdnr4GJ9ch91guGIGDKuCCpUTYI6+qg1/shA5X2i1Wt
         jlkwbc3LgoWlV8JPxB05cX4wBhmMoaue+eQJkyQxrkSMgjNegEyzWZoZB33x/K4McN8+
         Xxh2EXr6yzuUBew59wfB6EJexLB6JtsXVE6eTNmp+/Ql9h/BfqYTcWnFiH5opVM+VOqu
         McrwJMWR+aEP53fd8PkWURr88ZXMoopTOA9K6lYvi8RdKKCYx8lAfTzuQCQzn5WASk7T
         hF5UNbhO2rZ/D/mRigOHBKGPnQxj2E3CflVK4Uc5PIe5X2AZ/ZiLMUAC8WDxbi8rwEy8
         tyGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:references:from:in-reply-to
         :content-transfer-encoding;
        bh=hMIF5iAMHRsStMkWyiQPXt+qLD2MEbFw3tVjULDa9bc=;
        b=Mo567eSB5q38AYoQdMfM9zZ0Gg+64EDY31Ldl/d1811iq5ukre3O6PZ/MxEhMV+ZGU
         jEgi1GXgf+FZMg3QqrRLhpOcsk+LzzCXHw6jPhuUC3xWliWGDPRKz8dmJ6WNCsYoZOv0
         Te02tSUymP6OPbbjScKYQL7ICUWij1tYaq447CGTog4HfHNXSNFr7xHLFgfd7qrt2+es
         xthIVP/GZTOgZxbexyeenhWTA83FOZ6Zm+HtAoHIjBox1QGyRm4FLtrDDDcoRlMpO7OX
         iBbfZb8DahbXqiJen/3/RKdl002yCu0rvzVPkCsiVpaTIi89HpftlTWZDps+1ZM8V/l3
         OcEw==
X-Gm-Message-State: AJIora9+4u0D3qnVzXgMMGVUi4C4+5/viHoDW7x+SqZPGjyhnKZQnz7L
	BToYMnS10e5TqnSQjEEoVE5OOBnS8cJFSxMJ
X-Google-Smtp-Source: AGRyM1ug4YtsYp6Cv/3d/zfa4VZ32UkMwF/7XToKoDTYf1DeaYOkvnRWdNz9rAeF+TxJSPvJyxrB0g==
X-Received: by 2002:a05:6402:430f:b0:42e:2a86:abaf with SMTP id m15-20020a056402430f00b0042e2a86abafmr3829028edc.194.1655900101217;
        Wed, 22 Jun 2022 05:15:01 -0700 (PDT)
Received: from ?IPV6:2a02:8106:26:b100:2dbd:e0ae:12c7:c4c5? ([2a02:8106:26:b100:2dbd:e0ae:12c7:c4c5])
        by smtp.gmail.com with ESMTPSA id b6-20020a17090630c600b006fef51aa566sm9322396ejb.2.2022.06.22.05.15.00
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 22 Jun 2022 05:15:00 -0700 (PDT)
Message-ID: <5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de>
Date: Wed, 22 Jun 2022 14:14:59 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.10.0
Subject: Re: Security problem in how you manage users in package installations
Content-Language: en-US
To: Markus Kolb <alpinelinux+develml@tower-net.de>,
 Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
From: Paul Zillmann <p.zillmann@h6g.de>
In-Reply-To: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello Markus,

I've read thru the entire conversation - the problem you are drawing 
isn't one.

1. The passwd calls have an adduser call right above them, creating a 
system user with that name.
That fails if the user already exists and would return a non-zero return 
code. Thereby the package installation fails.

2. When you would create those users yourself it would fail too.
So the only reason your procedure would work is when an administrator 
decides to give you access to a system user and change the shell wrapper 
for that user.

3. This could also occur when you change the running user of gitea / 
gogs in their respective config.

All of this is the responsibility of the system administrator.
This is NOT an exploit the same way "I can change my root password to 
123456" is not an exploit.

Am I missing something here?
- Paul

Am 18.06.22 um 12:00 schrieb Markus Kolb:
> Hello,
>
> I'm trying to maintain 2 packages I'm using with Alpine and would not 
> like to see being removed from the repositories from future releases.
> But I could see that there is some basic problem.
> Currently you are unlocking users in pre-install of packages without 
> any further checks of the existing system environment.
> There is assumed the user is not existing, there is no username clash, 
> the user has not set a password, the user is used only for this 
> package and so on.
> In short... this is a no-go to circumvent any administrative security 
> related restrictions by package installations.
> There is the possibility to allow an unintended (remote) login or 
> local privilege expansion by unlocking users in apk-executed scripts.
> And there is no sensitivity for this problem, because it is the 
> recommended way of providing packages. (Quote: "see the <...apk> 
> .pre-install, which is how all of them are done").
>
> I'm negatively surprised how careless the basic system permissions are 
> used.
>
> Are you aware of this situation in Alpine and happy with it?
>
> Markus