Received: from mx1.mailbun.net (mx1.mailbun.net [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 923A5781274 for <~alpine/users@lists.alpinelinux.org>; Tue, 21 Jun 2022 18:18:43 +0000 (UTC) Received: from [192.168.0.120] (ip98-188-99-246.tu.ok.cox.net [98.188.99.246]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 284FE125298; Tue, 21 Jun 2022 18:18:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1655835520; bh=X5EtacuuHUKvuP5heImRHcBOytJiGSlxOIIQc2f/3AE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=L2nOQkX0Tc/0QvsJZVSqsutq2efxD+lNXu5heBo5XmpSKJ4NRJ++VlEPt5CpNdv2b FqI9NSHDg9pV2AUf3KSSOusM+TVHwcILl95OFTXBrxfHgnQub8YqmI+k7WtX72SWtL LdSVuwOZdDQ6kVgOd6dfIkue9lRdycZpb7gijhbfjp8YI7FV7MKNFlHAmD3PcrEvEe 8/g+oh2CkgApCngwKx5TYgrKVyS9DX7VB1fpXf09NbWwoleNsJJIf2FTF1TlyQoahy RdCFLhy+ZJhF+rXn58hardwH7sGatzW4bBqktPOzAVbz1Cx/C/frxBpjTcmNPFyp0o Pew01EqnHX4IA== Date: Tue, 21 Jun 2022 13:18:39 -0500 (CDT) From: Ariadne Conill To: Markus Kolb cc: Jakub Jirutka , Alpine Linux users ML <~alpine/users@lists.alpinelinux.org> Subject: Re: Security problem in how you manage users in package installations In-Reply-To: Message-ID: References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, On Tue, 21 Jun 2022, Markus Kolb wrote: > Am 19.06.2022 19:23, schrieb Jakub Jirutka: >>> There is the possibility to allow an unintended (remote) login or local >>> privilege expansion by unlocking users in apk-executed scripts. >> >> No, if the user already exists, then adduser(8) does nothing. >> > > But passwd does. Unlocking is happening with passwd and not adduser. In the case of Gogs and Gitea, this is necessary to enable the package to work as intended. The user accounts are restricted to running the Gogs / Gitea shell helper and cannot by default run a normal /bin/sh. > Not sure why you all point to adduser?! The typical pattern is to use adduser to add users in post-install scripts, this is admittedly sub-optimal design but requires the package manager to be aware of what account mutations need to occur. > Can you all try to understand the problem and not try to avoid the > explanations and saying all is fine like it is?! Speaking with authority as Alpine's designated security officer, I do not see the problem with the Gogs / Gitea packages. > It is not, you have a package in your repository, where you can get for sure > a CVE entry for because of how it is installed by apk. Speaking with authority as Alpine's designated security officer, we will vehemently dispute any CVE entries filed for this issue. > This is all quite exhausting to discuss a problem like there is no problem > and need to explain things not being part of. Speaking with authority as Alpine's designated security officer, multiple members of the Alpine security team have explicitly told you that we do not believe there is a problem in this case. The Alpine security team does, however, believe that `passwd -u` should be avoided as a best practice unless it is justifiable. In this case, it is justifiable -- the accounts in question must be unlocked for the package to function as intended. > This is no help. Demanding we do what you want is also not helpful. If you believe this is a real problem, then show us a real exploit. At present, all I am seeing is that a user must: 1. Add a `gogs` or `gitea` account to their system. 2. Lock that account. 3. Install `gogs` or `gitea` which results in it being unlocked. If you go to a doctor and say "it hurts when I do this," the doctor will tell you "don't do that." Same principle here. Ariadne