Received: from cloud03.net4visions.de (cloud03.net4visions.de [168.119.227.151])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 582D378118C
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 22 Jun 2022 14:00:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tower-net.de; h=
	content-transfer-encoding:content-type:content-type:message-id
	:references:in-reply-to:subject:subject:from:from:date:date
	:mime-version; s=20201123; t=1655906442; bh=5P7shGeiy/1CmqvAvKFA
	M3h6nwhRO1qzdR/ol2Vr2mA=; b=K/lJWfVJp0K1zFZ4FyrIQdkOGGLXUGXDeprO
	lacXbeMxHgAKvRXkHDlcqSYeKNySlkh+TrJBt7zBxAL80MTH9yxWVBdyToFMKtjf
	OIhGG50EaqQRT8W98FGxJvD76o7Om+kd/JV/62+P3rHlo/bj6TuHR32u9a1tI7ga
	/ErxxxoDPx2hcqYZgrbNAmnvKABBna/QndWDZAAVKIUf2H9fP49MfJFVc+ipLJav
	jmCPk6YTAnmQrogys9iDJqZdqpblU4i3voK0D1vw6NhD43HLxuP4AV3NKgNXcDA6
	NAJhLvKSWekMBf2ejmIJHjzHegAc+7cL893ujMAtpMn26KJ7N08vQjcU75agFlS/
	n4B91bJzPq4pF6XLLHgKk74IbWSPc5I8Iw+TAKjRMd2D9RbHN3BRSPmjrsWTtkPZ
	ZdRUfDv02NX3t1Zd1nK8zMqq8+8CAVnH3GprcaHllzMX1vedOdepgbMT7i8Ww2yj
	L7c9EZNNZ8EEiAtXeHX3ZZHpDQ90
MIME-Version: 1.0
Date: Wed, 22 Jun 2022 16:00:41 +0200
From: Markus Kolb <alpinelinux+develml@tower-net.de>
To: Paul Zillmann <p.zillmann@h6g.de>
Cc: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package installations
In-Reply-To: <5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
 <5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de>
Message-ID: <6ad6dc8aa59353b88d9c068eb31bff14@tower-net.de>
X-Sender: alpinelinux+develml@tower-net.de
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit

Am 22.06.2022 14:14, schrieb Paul Zillmann:
> Hello Markus,
> 
> I've read thru the entire conversation - the problem you are drawing 
> isn't one.
> 
> 1. The passwd calls have an adduser call right above them, creating a
> system user with that name.
> That fails if the user already exists and would return a non-zero
> return code. Thereby the package installation fails.

This is not true. And the rest is irrelevant. It is not the admin doing 
anything wrong. The packages are installed unsafe, and if the admin 
wants to repair it, the packages mess it up again. (Relevant for the 
other problems with permissions, file and group owners.)

The adduser doesn't fail, the pre-install is not aborted, unlock is 
happening over and over again, the installation doesn't fail.
This would also not be possible to do, you couldn't uninstall and 
reinstall packages.

Maybe you should try out before talking about, like all the others 
seeing no problem and had not even a look in the repository or tried an 
installation to see where the problems are.
Because I'm tired to explain over and over again that it is like I say.

Last of my comments.