Received: from mx1.mailbun.net (mx1.mailbun.net [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 151BA781299
	for <~alpine/devel@lists.alpinelinux.org>; Tue, 21 Jun 2022 16:24:42 +0000 (UTC)
Received: from [192.168.0.120] (ip98-188-99-246.tu.ok.cox.net [98.188.99.246])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 1C4521251DE;
	Tue, 21 Jun 2022 16:24:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1655828679;
	bh=1OPE4rX4hAiTHfGcv9TcIvCoTTtiBGnfGsj+pZYFnaM=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=WPnGcPwDM40O2vDcMJgclQ1dalnKbEIPrmN/w7Z9YROn9Z4m2oj50+TK2dfs8pImW
	 YuV5b3hZUGRuR/SlCCix5kZSmd2yqaIRzRwXynpGwtrin8vr8oEFXtM5XXbTnKrvVA
	 H1SKamYIqLkXPVJw4tORs9CIVwjAW571Loeh8jOzXv6JuIo/kknPosor1VrFQro+xt
	 1UnUFC2E9wL7zlkyOsiSccQ2+mNisVOw7KVVenz1vcxUH7meg8fcmcpC9s+/fy7BeW
	 0qdHtH9HkDzae6FJeaRNnCydD2FrnHBoHM2ukIyZ1OXbJIGM+o12+NI/hu4VrEeCws
	 Mw1fIPx0J9xKQ==
Date: Tue, 21 Jun 2022 11:24:39 -0500 (CDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Markus Kolb <alpinelinux+develml@tower-net.de>
cc: Alpine Linux devel ML <~alpine/devel@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package
 installations
In-Reply-To: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
Message-ID: <a0158f4d-81d0-c034-665a-853345463371@dereferenced.org>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hi,

On Sat, 18 Jun 2022, Markus Kolb wrote:

> Hello,
>
> I'm trying to maintain 2 packages I'm using with Alpine and would not like to 
> see being removed from the repositories from future releases.
> But I could see that there is some basic problem.
> Currently you are unlocking users in pre-install of packages without any 
> further checks of the existing system environment.
> There is assumed the user is not existing, there is no username clash, the 
> user has not set a password, the user is used only for this package and so 
> on.

This is a problem with adduser in busybox, then, and it should be fixed 
there.  In the past adduser was performing these checks, so something has 
changed.

> In short... this is a no-go to circumvent any administrative security related 
> restrictions by package installations.
> There is the possibility to allow an unintended (remote) login or local 
> privilege expansion by unlocking users in apk-executed scripts.
> And there is no sensitivity for this problem, because it is the recommended 
> way of providing packages. (Quote: "see the <...apk> .pre-install, which is 
> how all of them are done").
>
> I'm negatively surprised how careless the basic system permissions are used.
>
> Are you aware of this situation in Alpine and happy with it?

I am aware of this situation, but am skeptical that it is an actual 
security problem (unless new versions of busybox have actually broken 
adduser).  That awareness is why we are moving user/group management 
directly to apk-tools as part of apk 3.

Ariadne