~sircmpwn/alpine-devel (mirror)

Re: Security problem in how you manage users in package installations

Natanael Copa <ncopa@alpinelinux.org>
Message ID
DKIM signature
Download raw message
On Wed, 22 Jun 2022 03:06:41 +0000
Markus Kolb <alpinelinux+develml@tower-net.de> wrote:

> Am 21. Juni 2022 18:18:39 UTC schrieb Ariadne Conill <ariadne@dereferenced.org>:
> >Hi,
> >
> >On Tue, 21 Jun 2022, Markus Kolb wrote:
> >  
> >> Am 19.06.2022 19:23, schrieb Jakub Jirutka:  
> >>>> There is the possibility to allow an unintended (remote) login
> >>>> or local privilege expansion by unlocking users in apk-executed
> >>>> scripts.  

> 1. Install gogs and openssh-server.
> 2. Start it
> 3. Create a login in gogs.
> 4. Create a private repository
> 5. Commit your most expensive code to your private repository
> 6. Create a normal ssh user account, fully unrelated to gogs
> 7. Give me access to this ssh user account
> 8. I'll tell you what your username, email and password hash in gogs is; complete DB dump possible
> 9. I'll sell your private repository code in dark net
> 10. You look for a new job

This does not sound good at all, and I am interested in fixing it.

> Sorry, you requested this.
> You have my email, if you have prepared this quite common server and
> can't understand it yourself. Anything more is waste of time for me,
> I have to replace my container images. Seem to be sleeping time
> bombs.

But is this not just a problem that gogs package sets wrong permissions
to its database?

I don't understand how this is a general problem in apk executed

> My intention has been to help and support you. Repair this
> permission problems in an official accepted way, while taking care of
> two unmaintained community packages. And talk about what could be
> done to make this safer in the development process, that packages are
> not distributed in such an unsafe state. Mostly I receive over many
> days disbelief and now this laughable, insulting official statement.

I am sorry.

Reply to thread Export thread (mbox)