Received: from ncopa-desktop.lan (ti0056a400-2304.bb.online.no [85.167.212.10]) (Authenticated sender: ncopa@alpinelinux.org) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPSA id 4C6127811CC; Tue, 21 Jun 2022 10:10:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alpinelinux.org; s=smtp; t=1655806241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yOht2StKpZwQWNML+kP3cee6V+IKMD2l9NvVIPoJtvc=; b=xjb+4KtLCbXogGq8KHKvGZGVtWW7PPlDfDvQExzL6+6byR2w3eThhYPLFvcrvlPDUdeqgB eeMb8sOEoUcC2nkxX/znvPfxsu/Bc2mISe0nh94z7vkj1CEyn5QnBjRIxku2knd3PzE3Ij UYQh2w6fQP2YUTmPGNd6hXUd4mDbPQ0= Date: Tue, 21 Jun 2022 12:10:39 +0200 From: Natanael Copa To: Markus Kolb Cc: Jakub Jirutka , Alpine Linux users ML <~alpine/users@lists.alpinelinux.org> Subject: Re: Security problem in how you manage users in package installations Message-ID: <20220621121039.298035de@ncopa-desktop.lan> In-Reply-To: References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de> X-Mailer: Claws Mail 4.1.0 (GTK 3.24.34; x86_64-alpine-linux-musl) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 21 Jun 2022 10:59:53 +0200 Markus Kolb wrote: > Am 19.06.2022 19:23, schrieb Jakub Jirutka: > >> There is the possibility to allow an unintended (remote) login or > >> local privilege expansion by unlocking users in apk-executed scripts. > > > > No, if the user already exists, then adduser(8) does nothing. > > > > But passwd does. Unlocking is happening with passwd and not adduser. > Not sure why you all point to adduser?! Where/how is passwd used in apk-executed scripts? -nc