Received: from mail.torastian.com (mail.torastian.com [49.12.213.29])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id BB00D780E9B
	for <~alpine/devel@lists.alpinelinux.org>; Tue, 21 Jun 2022 09:20:29 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=v8AU1OID5m0ZDvAs6r/8EiD3iRnpO37wFQEqm5NRKaM=;
 c=relaxed/relaxed; d=ptrcnull.me;
 h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp;
 i=@ptrcnull.me; s=default; t=1655803222; v=1; x=1656235222;
 b=nvSCleMEbzn9iOyqP5Oy4ExaXvfHZxtTNJNPoPjCtQCcN6Frh/WwCR8dnylLxNnpgQBl8tFo
 g12WyHkjTAQnCSRUwkeMACJOPvVZiQK2pe/AdXmHrz+An2LxLLFDA4UjwQ5eLlVY0FLa4SxbFeC
 qgHm6qSMnICAGIeis/g5NEB/ViUyDZuvJYuIzzelVkwjPyzpqgq6g3Neufelp3BatX9VGPQ6meJ
 Lg07a402rm9UCfbC/PCzmUhNal/ChCAPhIHBq6Z6yshf2VO2asMFuXCO/eKCz+imnb9Bxckbq/R
 fJl38OyXVlaQIN9sJ+e6kjacLovcL0Aqr3TKItgOSDajw==
Received: by mail.torastian.com (envelope-sender <patrycja@ptrcnull.me>)
 with ESMTPS id 35d2b6a4; Tue, 21 Jun 2022 09:20:22 +0000
Message-ID: <9d3863ce-7299-db69-35ab-09d6bc24ce59@ptrcnull.me>
Date: Tue, 21 Jun 2022 11:20:20 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.10.0
Content-Language: en-US
To: Markus Kolb <alpinelinux+develml@tower-net.de>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
 <cf311040-21f2-ad8b-4b9c-363f7ad0c9f5@jirutka.cz>
 <b1c1278d4461aaf940aea2d24c0e05d6@tower-net.de>
From: Patrycja Rosa <patrycja@ptrcnull.me>
Subject: Re: Security problem in how you manage users in package installations
Cc: ~alpine/devel@lists.alpinelinux.org
In-Reply-To: <b1c1278d4461aaf940aea2d24c0e05d6@tower-net.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 21/06/2022 10:59, Markus Kolb wrote:
> Am 19.06.2022 19:23, schrieb Jakub Jirutka:
>>> There is the possibility to allow an unintended (remote) login or 
>>> local privilege expansion by unlocking users in apk-executed scripts.
>>
>> No, if the user already exists, then adduser(8) does nothing.
>>
> 
> But passwd does. Unlocking is happening with passwd and not adduser.
> Not sure why you all point to adduser?!
Because except for Gogs and Gitea, nothing uses passwd in post-install, 
just adduser - and in these two cases it's a desired behaviour, because 
otherwise using Git over system SSH wouldn't work.

> Can you all try to understand the problem and not try to avoid the 
> explanations and saying all is fine like it is?!
> It is not, you have a package in your repository, where you can get for 
> sure a CVE entry for because of how it is installed by apk.
Do you mind explaining how unlocking a user with no password, no shell 
and SSH keys managed by Gitea/Gogs specifically to run their handlers 
(in case of Gitea, "gitea serv key-name") is worthy of a CVE?