X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail.wyraz.de (vpsprod2.wyraz.de [188.68.49.93]) by lists.alpinelinux.org (Postfix) with ESMTP id 6E6215C56D8 for ; Sun, 23 Sep 2018 17:51:15 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by mail.wyraz.de (Postfix) with ESMTP id 12588A8B62 for ; Sun, 23 Sep 2018 19:51:14 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail.wyraz.de Received: from mail.wyraz.de ([127.0.0.1]) by localhost (mail.wyraz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxMfusUvKgib for ; Sun, 23 Sep 2018 19:50:44 +0200 (CEST) Received: from [192.168.1.149] (teilnehmer4-86.koetschlitz.de [94.101.42.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wyraz.de (Postfix) with ESMTPSA for ; Sun, 23 Sep 2018 19:50:44 +0200 (CEST) To: alpine-devel@lists.alpinelinux.org From: Michael Wyraz Subject: [alpine-devel] Build security - run as root, drop privileges during compile Message-ID: <9a302990-8762-9572-b363-8b0c5710741e@wyraz.de> Date: Sun, 23 Sep 2018 19:50:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US-large Hello devs, the current abuild refuses to run as root and requires a user in the "abuild" group to run builds "for security reasons". IMO this does not improve security and probably should be done exactly the other way round: Run abuild as root and drop privileges at any place where untrusted code is executed. APK builds usually run as unprivileged user which is in the "abuild" group. Abuild allows to specify a lot of things in the APKBUILD file that requires root privileges (e.g. installing of packages, creation of system users and groups). To allow this for the unprivileged abuild user, a SUID executable "abuild-sudo" is provided which is a sudo wrapper for several system tools (e.g. abuild-apk which wraps apk). Since the compiling step also runs as that user, it has full access to the SUIDed executables which is basically the same as granting full system access. Example: If a Makefile (which is run in the abuild context) downloads an arbitrary APK and installs it via "abuild-apk --allow-untrusted", the packages post install scripts are executed as root. To improve build security and hardening build systems against malicious compiling steps, abouid should perform tasks like installing of packages and adding system users and groups as root and drop all privileges during execution of the compiling steps (e.g. by su-ing to an unprivileged user that has _no_ access to the SUID abuild applications). Kind regards, Michael. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---