Received: from mail-vk1-f175.google.com (mail-vk1-f175.google.com [209.85.221.175])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id B1E3878100C
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 19 Jun 2022 13:42:48 +0000 (UTC)
Received: by mail-vk1-f175.google.com with SMTP id b5so773896vkp.4
        for <~alpine/devel@lists.alpinelinux.org>; Sun, 19 Jun 2022 06:42:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xaosek5WkOYa8fbhT914iKaKrGTRqYqizLGFOD+Ap8Q=;
        b=ouDUIr9HsRcOBlRSmlXPp203lf7sVLh29YJCOi72y8G64hBiRPjAd+UyM7oVcmEErU
         zaXKlXmcBWYnjGa1i2cwR3zKKNDGocc3hrkcfv1H+xxTTqMFjNbS7SIYCHBQEjH2RbEF
         JSl627nfyp9pMN74pl4iqnlm+fTCLSLEbDlhcbYu0twW/bLIAyNMGUrmQIuD8X/G7TR4
         PS7WgVmQpVSqNyjSw1fmGU2NELNu1rf+EWW6MUY/aTsICQ04WViwqmehXWWztFs+5w7R
         yTG9zt8zzTZ8FDCw2ol4042V/eHjAxCb2Pixp90o1aYAnvbhAdjMgPA4Bab3zkHK1z5t
         ATzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xaosek5WkOYa8fbhT914iKaKrGTRqYqizLGFOD+Ap8Q=;
        b=wemuWuwXE9B3eORs7nRIXCfprowXgKB1uAhkUYAJ/9b310sRe3CAlKXNEMC2h+eUr0
         GBwjknwZgu2i5FjHhYnkCuZmmYUYeEkqZ6LY5i5MN9maBOuWupHpUy2uPXSQWx+gqxY6
         G08y8MWjIG1Lcd9e1sTMUQrkKl/3YHHMEBA+DKXUsdUvdGOHS0Vaqt1dCtuwGPlCoA+j
         nTfcI8nPqdFd9Y/n/pbVRFJEe7HhjYJLCr+wwIdLo4m8ylW6Q65p+UvudLlcjfA4RFVV
         rvY5qQUb/75SWwsuaUraitkuJEINLbgGeHSD0+gUIt35OTEEkCCwQgfWAZfOZiYhvXFn
         2Tjw==
X-Gm-Message-State: AJIora/SqZwJZlzxMeqv+KDov6Y2Lcab9KylNd3DwWl41zO0n+FtGJ0+
	nsfkOeldZO3VVLFChUPWlLC4MexcZbdclplxUSd36Nip0m8=
X-Google-Smtp-Source: AGRyM1uJLaYqAqgg5Dpx11WZWuEjBP5CsH7mKXqouqiT2E11y8GEvO4M+Va4XG5eZAOwG/IbJe6ZbfeGlq9UUTP8TDM=
X-Received: by 2002:a05:6122:c5:b0:368:6a0f:ed0c with SMTP id
 h5-20020a05612200c500b003686a0fed0cmr8213524vkc.28.1655646167183; Sun, 19 Jun
 2022 06:42:47 -0700 (PDT)
MIME-Version: 1.0
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
 <CAD+eXGR0gJH5UbrgE=5qvXaNgsRD+17tueooGdSY1NKPLcVrKw@mail.gmail.com> <49d7456930f237457bf7f3f5c50f96e4@tower-net.de>
In-Reply-To: <49d7456930f237457bf7f3f5c50f96e4@tower-net.de>
From: Konstantin Kulikov <k.kulikov2@gmail.com>
Date: Sun, 19 Jun 2022 16:42:35 +0300
Message-ID: <CAD+eXGQuATq8yW=LqSoyj04B=-egzfna_R6+9mOXXiiu+owq_A@mail.gmail.com>
Subject: Re: Security problem in how you manage users in package installations
To: Markus Kolb <alpinelinux+develml@tower-net.de>
Cc: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Content-Type: text/plain; charset="UTF-8"

> Some distros create system users only with predefined uid/gid.

There are ~500 *-openrc packages so I guess it can work.

> A first effective improvement would be, not to lower/remove restrictions
> of _any_ existing user in a kind of black box (installation script from
> admin perspective) during package installation.

adduser fails if user exists so I'm not sure what you mean here.

> Same proceeding would be good for file/directory permissions.
> For this there should be also taken care in e.g. checkpath of
> openrc-scripts. If the admin locks out users of a directory and during
> the next service start by a checkpath the directory becomes world
> accessible again, might be a problem. IMO openrc should not modify or
> create anything by checkpath but simply report about the undesired
> mismatch and abort. But there is no such option in checkpath to only
> check. The modification is implied, the name of the function is
> misleading. It is a "fixpath".

I don't agree that admin should be required to manually create
directories with correct permissions.
Maybe it's possible to checkpath with 700 and then give permissions to
others when required using ACLs(setfacl/getfacl)?

> I don't see a requirement for adding users like gitea/gogs to a
> website-content-group www-data.

I believe "someuser/www-data" is usually done to let apache/nginx
handle uploads and static file serving.
In gogs case this definitely shouldn't be done. Feel free to send a MR.

> What is happening below /var/log, /var/run in all the packages over time
> if there is no check what packages are doing?

Logging in alpine is in a shit state because openrc doesn't really
implement logging properly.
There was some talk about replacing it, no idea what state it is currently in.

> Btw. is it intended that you add user to the same group it has as
> primary group, so that it has ineffectively the same group 2 times?

Unlikely. Feel free to send MRs.

> Default installations need to be fixed here, but it is not foreseeable
> what configuration changes has been done on all the installations out
> there. Overwriting this more restrictive and safe can break
> installations using a different, custom configuration and directory
> structure.
> There could be provided an output to the user during the installation
> about the changes. In other distributions there would be a confirmation
> dialog.

apk doesn't do notifications. Postgres did fail installation in the
past when a major version was released,
but thankfully major postgres versions are now separate packages.

> How this should be done in Alpine?

I'd say get rid of www-data, but leave 755 for now.
Move directory creation from package() to initd script with checkpath.
This will let you edit initd on your installation and not fear for it
being overwritten on the next update.
You can get rid of setcap usage as well (see [1]).

Finally bring up your concerns and suggestions with TSC here [2] and
start a formal discussion.

[1] https://gitlab.alpinelinux.org/alpine/tsc/-/issues/45
[2] https://gitlab.alpinelinux.org/alpine/tsc