Received: from cloud03.net4visions.de (cloud03.net4visions.de [168.119.227.151])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 67263781046
	for <~alpine/users@lists.alpinelinux.org>; Tue, 21 Jun 2022 09:00:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tower-net.de; h=
	content-transfer-encoding:content-type:content-type:message-id
	:references:in-reply-to:subject:subject:from:from:date:date
	:mime-version; s=20201123; t=1655801994; bh=uXaPc+fWv5IN7tkCxiqr
	6s18P9rqiYw+s4GE15qtPUI=; b=FjI26XZS+6gNborFmOFeeh7f1HTbIz14u6kk
	mJPpZWJDTYsmTfivcX5W6q/03x+h9QEjg1RJ0YjiWHfTLBRxWz/yKrtOtDCQoF/G
	EaYc1DpoSBfEesbcX8SphYnDRSeEZqR/WuC0JDNmJnuiWBJQb1dYKOEe7BhcFI7W
	1gcQCyMgGbSfHpoc06kH0/UZ8ODcfa6weXodWXxFkiFCcgv02mIvc+sgnix1uiaZ
	BNpoWiYyHuqr1zO53AFN7AVksOxfyAJhRrjQW2IgxqB+5I2v3fSeomBKr7WKekSZ
	5rtL6kPUSBerUt1yEbV81+2hj2S/mHIJ/yBK+rP5PYRa5OcZceFkPgfb1S6dmePG
	4gvWsxR/jtE/XMZbyAqxa4I8rRQhXBY0J0R/t598ihZK0MuMiMFIjcAdNGYTQIoL
	9achK41Rc1gxDMPqEUgfDil9/t7IwJAKw6WKX2VafgcwBXd1V6yJ4NNS3D+XUcr9
	pfAlNiljTT4Hmhf//GROSRm2M4/B
MIME-Version: 1.0
Date: Tue, 21 Jun 2022 10:59:53 +0200
From: Markus Kolb <alpinelinux+develml@tower-net.de>
To: Jakub Jirutka <jakub@jirutka.cz>, Alpine Linux users ML
 <~alpine/users@lists.alpinelinux.org>
Subject: Re: Security problem in how you manage users in package installations
In-Reply-To: <cf311040-21f2-ad8b-4b9c-363f7ad0c9f5@jirutka.cz>
References: <22948c2fba2f4882ac4646501fd6ef3f@tower-net.de>
 <cf311040-21f2-ad8b-4b9c-363f7ad0c9f5@jirutka.cz>
Message-ID: <b1c1278d4461aaf940aea2d24c0e05d6@tower-net.de>
X-Sender: alpinelinux+develml@tower-net.de
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit

Am 19.06.2022 19:23, schrieb Jakub Jirutka:
>> There is the possibility to allow an unintended (remote) login or 
>> local privilege expansion by unlocking users in apk-executed scripts.
> 
> No, if the user already exists, then adduser(8) does nothing.
> 

But passwd does. Unlocking is happening with passwd and not adduser.
Not sure why you all point to adduser?!
Can you all try to understand the problem and not try to avoid the 
explanations and saying all is fine like it is?!
It is not, you have a package in your repository, where you can get for 
sure a CVE entry for because of how it is installed by apk.

This is all quite exhausting to discuss a problem like there is no 
problem and need to explain things not being part of.
This is no help.