Received: from theta.ikke.info (theta.ikke.info [178.21.117.236])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 50DF07810BE
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 19 Jun 2022 15:43:41 +0000 (UTC)
Received: from 49de537e0bbc (mutt_mutt_run_34802d113dfc.postfix_default [192.168.80.4])
	by theta.ikke.info (Postfix) with ESMTPS id 18F0A1406B1;
	Sun, 19 Jun 2022 15:43:01 +0000 (UTC)
Date: Sun, 19 Jun 2022 15:43:00 +0000
From: Kevin Daudt <kdaudt@alpinelinux.org>
To: Konstantin Kulikov <k.kulikov2@gmail.com>
Cc: Markus Kolb <alpinelinux+develml@tower-net.de>,
	Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package installations
Message-ID: <Yq9EBLbMSq1l0WqI@49de537e0bbc>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
 <CAD+eXGR0gJH5UbrgE=5qvXaNgsRD+17tueooGdSY1NKPLcVrKw@mail.gmail.com>
 <49d7456930f237457bf7f3f5c50f96e4@tower-net.de>
 <CAD+eXGQuATq8yW=LqSoyj04B=-egzfna_R6+9mOXXiiu+owq_A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAD+eXGQuATq8yW=LqSoyj04B=-egzfna_R6+9mOXXiiu+owq_A@mail.gmail.com>

On Sun, Jun 19, 2022 at 04:42:35PM +0300, Konstantin Kulikov wrote:
> 
> > How this should be done in Alpine?
> 
> I'd say get rid of www-data, but leave 755 for now.
> Move directory creation from package() to initd script with checkpath.
> This will let you edit initd on your installation and not fear for it
> being overwritten on the next update.
> You can get rid of setcap usage as well (see [1]).

Note that this will most like break container installations, which do no
run services. So you cannot rely on checkpath in an init script to
created required directories.