Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 410F5780FEF
	for <~alpine/devel@lists.alpinelinux.org>; Sat, 18 Jun 2022 11:43:15 +0000 (UTC)
Received: by mail-vs1-f53.google.com with SMTP id g6so6313245vsb.2
        for <~alpine/devel@lists.alpinelinux.org>; Sat, 18 Jun 2022 04:43:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=sq6DpqhmIWdKCGUKK/JO3mOdLncz1j42LTbbpOpafBg=;
        b=bpFzQTvGWsBxTjHSAuv6rr9MTrxiORtTgXqHqsKSYSma2wO/tS2LvG5HTkNdUe0uHB
         MSUhT0FNUwajYyPBG7gW0BTGQQzimHrzwmMKiqng3jKnkpSZmMPNNqKPGYIez4GmBHDz
         o6QWfJtwDF8VTtFMQJuoxKEbKTgFIKH7pLiLLRSt5PhrU9SwR1rORuKL5u9KnHIYCyGk
         j0FJs2GAnd3AxQQVIWW1u0sG6TOdxjEhWaU6/2m4KOyGHUqAsjQ7nDkLo8xLRUXjXESf
         AzCwRdgu7BgRMm9/x0KRzts1Qy9oRL5iW/p0XiDESulpFIs4xDMFIZo2gKpNlcBbi7Vp
         YGrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=sq6DpqhmIWdKCGUKK/JO3mOdLncz1j42LTbbpOpafBg=;
        b=xMzvz0P1XvtSOVXzLoGTYMRsIyVzX4h6SA0eO0R0wKcVzui4cJBo4Kv9W3tRXQEpqp
         2WHm9e5QA5IjD8fyn6QqDNOX4aqv/PGcibvDFeFc0fQpxp2dowvrIXp11LRXBI2rbx2X
         Pjj5rMuq43+KeH1FmzNIPrhrEpjNNQa751vBduOwFBoQQWvh93J8KzYuCS3gilvBkB3I
         VcfxuAHnlpz5oembkCgGjQxGC3BsVVhOcrFDM5AYSRaOA+y/tj3opa3MnzsophBi7Klf
         WXRKD5ifN+RFnANtLXu9Ivo/9GRRwPikG4sazKtK6GVWKrxyIWWX0TSTqEP65g/OO3Y1
         C/jQ==
X-Gm-Message-State: AJIora+xdnCWcxNvuW3ILodBE3yGBmoNXh9nAHnWYM0Vcz6LSLCCUvKQ
	fCt3lgDyNmqbC8cQ27DDZwKJ8QdKMTJF5ZY3CbGot3u1
X-Google-Smtp-Source: AGRyM1tLubvuFcmEgTjH2hnvPzaAguyzJJFnb/6HnEFIQuliAF1vjopKuqQVs/ncr3nHFaK+NULIC6Z/1V292skmFhA=
X-Received: by 2002:a67:c086:0:b0:354:25d8:ed43 with SMTP id
 x6-20020a67c086000000b0035425d8ed43mr376069vsi.43.1655552593853; Sat, 18 Jun
 2022 04:43:13 -0700 (PDT)
MIME-Version: 1.0
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
In-Reply-To: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
From: Konstantin Kulikov <k.kulikov2@gmail.com>
Date: Sat, 18 Jun 2022 14:43:02 +0300
Message-ID: <CAD+eXGR0gJH5UbrgE=5qvXaNgsRD+17tueooGdSY1NKPLcVrKw@mail.gmail.com>
Subject: Re: Security problem in how you manage users in package installations
To: Markus Kolb <alpinelinux+develml@tower-net.de>
Cc: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Content-Type: text/plain; charset="UTF-8"

How would you improve this situation? Fail package installation if
user exists and is non-system (id >= 1000)?
How do other distros solve conflicts between admin's usernames and
service's usernames?

On Sat, Jun 18, 2022 at 1:00 PM Markus Kolb
<alpinelinux+develml@tower-net.de> wrote:
>
> Hello,
>
> I'm trying to maintain 2 packages I'm using with Alpine and would not
> like to see being removed from the repositories from future releases.
> But I could see that there is some basic problem.
> Currently you are unlocking users in pre-install of packages without any
> further checks of the existing system environment.
> There is assumed the user is not existing, there is no username clash,
> the user has not set a password, the user is used only for this package
> and so on.
> In short... this is a no-go to circumvent any administrative security
> related restrictions by package installations.
> There is the possibility to allow an unintended (remote) login or local
> privilege expansion by unlocking users in apk-executed scripts.
> And there is no sensitivity for this problem, because it is the
> recommended way of providing packages. (Quote: "see the <...apk>
> .pre-install, which is how all of them are done").
>
> I'm negatively surprised how careless the basic system permissions are
> used.
>
> Are you aware of this situation in Alpine and happy with it?
>
> Markus