Received: from out1.migadu.com (out1.migadu.com [91.121.223.63]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id D2527780FAF for <~alpine/devel@lists.alpinelinux.org>; Mon, 20 Jun 2022 05:20:53 +0000 (UTC) MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ayaya.dev; s=key1; t=1655702451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Czj0MoqA1FwJAHFhTuVT8LWXK838BNVDZ7eQ4v2E/1A=; b=J50hhxGJebRTzcP+V825DvlkjyvOG5LeRDP/DYBfXcs6Mh/BwtE+lD1jifHgubmsNuGdDP nCVVROQCZgKrDfixGimHd16IytmGVNZcHt0/yn+c594nCfUXLMrP+nHfXKPc+coHusJIpc LQj1MFuQh8lsqKGH7vICwU3fW9CQsd8= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 20 Jun 2022 07:20:50 +0200 Message-Id: Cc: "Alpine Linux devel ML" <~alpine/devel@lists.alpinelinux.org> Subject: Re: Security problem in how you manage users in package installations X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "alice" To: "Konstantin Kulikov" , "Markus Kolb" References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de> <49d7456930f237457bf7f3f5c50f96e4@tower-net.de> In-Reply-To: X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: ayaya.dev On Sun Jun 19, 2022 at 3:42 PM CEST, Konstantin Kulikov wrote: > > Btw. is it intended that you add user to the same group it has as > > primary group, so that it has ineffectively the same group 2 times? > > Unlikely. Feel free to send MRs. for this specifically, i assume it was something like: addgroup -S x adduser -S -G x x `adduser -S` does not create a group for the user, so this is required. haven't seen any other instances where that statement would apply..