On 21/06/2022 10:59, Markus Kolb wrote:
> Am 19.06.2022 19:23, schrieb Jakub Jirutka:
>>> There is the possibility to allow an unintended (remote) login or 
>>> local privilege expansion by unlocking users in apk-executed scripts.
>>
>> No, if the user already exists, then adduser(8) does nothing.
>>
> 
> But passwd does. Unlocking is happening with passwd and not adduser.
> Not sure why you all point to adduser?!
Because except for Gogs and Gitea, nothing uses passwd in post-install, 
just adduser - and in these two cases it's a desired behaviour, because 
otherwise using Git over system SSH wouldn't work.

> Can you all try to understand the problem and not try to avoid the 
> explanations and saying all is fine like it is?!
> It is not, you have a package in your repository, where you can get for 
> sure a CVE entry for because of how it is installed by apk.
Do you mind explaining how unlocking a user with no password, no shell 
and SSH keys managed by Gitea/Gogs specifically to run their handlers 
(in case of Gitea, "gitea serv key-name") is worthy of a CVE?