Received: from mx1.mailbun.net (mx1.mailbun.net [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 0D4EF7812FC
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 22 Jun 2022 15:26:26 +0000 (UTC)
Received: from [192.168.0.120] (ip98-188-99-246.tu.ok.cox.net [98.188.99.246])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 3068512531F;
	Wed, 22 Jun 2022 15:26:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1655911583;
	bh=mHbd7RLcYA1C7QrTkBEG6qxqbYdhTs8EU8iXhKUtWwY=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=V3GpCApXgTV02QZZA7iIgoDnOOR/W2EBzdXoUlmfPhcIudRzz7K2ckkXIQkRGv0uq
	 z/Kw4fQ5hk6Aa308vrMJbIEhWB/KHdqFTuDotoo9kngyp38mmZTeprH0N7fvfC69+J
	 gcb/TCsCEq8C6fPsoTL4Et0GYY1q9OWYYEYex6EIv084KkhHS6r8QJkH0Wlch2Baoz
	 g3MssdLsg5wcHelK393+8+HSfacqfioWuMoxPzNnxXZOeFG7dohsNGO8wuNlMLSUeJ
	 3wHzw3ghturVl1w2DTjlgEA3ilRfmMoJNTq0iEb5lqCUoSgsA0tGlVqnXhNFEpF72g
	 wXyT+Nh6yymNw==
Date: Wed, 22 Jun 2022 10:26:22 -0500 (CDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Markus Kolb <alpinelinux+develml@tower-net.de>
cc: Paul Zillmann <p.zillmann@h6g.de>, 
    Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package
 installations
In-Reply-To: <6ad6dc8aa59353b88d9c068eb31bff14@tower-net.de>
Message-ID: <758eb040-1184-1382-9083-d620e57c619@dereferenced.org>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de> <5df607d9-8eb4-9ccb-4dc2-02bec9323659@h6g.de> <6ad6dc8aa59353b88d9c068eb31bff14@tower-net.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hi,

On Wed, 22 Jun 2022, Markus Kolb wrote:

> Am 22.06.2022 14:14, schrieb Paul Zillmann:
>> Hello Markus,
>> 
>> I've read thru the entire conversation - the problem you are drawing isn't 
>> one.
>> 
>> 1. The passwd calls have an adduser call right above them, creating a
>> system user with that name.
>> That fails if the user already exists and would return a non-zero
>> return code. Thereby the package installation fails.
>
> This is not true. And the rest is irrelevant. It is not the admin doing 
> anything wrong. The packages are installed unsafe, and if the admin wants to 
> repair it, the packages mess it up again. (Relevant for the other problems 
> with permissions, file and group owners.)

This is why apk-tools 3 is directly gaining the ability to do account 
management, so that maintainer scripts are not adding/removing accounts.

In other words: we are already doing something about this.

> The adduser doesn't fail, the pre-install is not aborted, unlock is happening 
> over and over again, the installation doesn't fail.
> This would also not be possible to do, you couldn't uninstall and reinstall 
> packages.

The unlock of a specified account, e.g. gogs or gitea, which must be 
unlocked for the package to work as intended (e.g. allow remote SSH git 
pushes).

And whether that account is locked or not does not actually have any 
influence over your data exfiltration scenario outlined elsewhere.

> Maybe you should try out before talking about, like all the others seeing no 
> problem and had not even a look in the repository or tried an installation to 
> see where the problems are.

I took a look before I concluded it was not a problem.  I still say it is 
not a problem.  Your data exfiltration scenario has nothing to do with 
whether the account is locked or not.

Ariadne