[lxc-devel] [PATCH] lxc-alpine: download statically compiled package manager if not available on host

Natanael Copa ncopa at alpinelinux.org
Sat May 18 19:13:04 UTC 2013


On Fri, 17 May 2013 12:04:01 -0400
"Michael H. Warfield" <mhw at WittsEnd.com> wrote:

> On Fri, 2013-05-17 at 09:24 -0500, Serge Hallyn wrote:
> > Quoting Kaarle Ritvanen (kaarle.ritvanen at datakunkku.fi):
> > > On Thu, 16 May 2013, Natanael Copa wrote:
> > > 
> > > >On Wed, 15 May 2013 13:10:06 -0500
> > > >Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > > >
> > > >>Quoting Kaarle Ritvanen (kaarle.ritvanen at datakunkku.fi):
> > > >>...
> > > >>>+        wget="wget -O - $repository/x86"
> > > >>..
> > > >>>+        $wget/apk-tools-static-$apk_version.apk | \
> > > >>>+            tar -Oxz sbin/apk.static > $apk || return 1
> > > >>>+        chmod u+x $apk

...

> > > >>>+    $apk add -U --initdb --root $rootfs $apk_opts "$@"

...
 
> > It's the 'wget $url | /bin/sh' that, not the apk --allow-untrusted,
> > that really bothers me.

...

> As a security researcher (my day job), I have to say, now that you
> specifically pointed it out, that makes the hair on the back of my
> neck stand up.  Even if we only allow a well controlled URL we're
> requesting, the thought of blindly piping the data returned into a
> shell scares the crap out of me,

He pipes it to tar, not to a shell.

> especially since this would presumably be running as root.

Running unverified static binaries as root is scary yes.

> If there was some way to download it
> to a file and verify its contents (md5, sha1, sha256 or -preferably-
> PGP signature) BEFORE sending it into a shell, that would make me
> feel a lot more comfortable.

There is a checksum stored in the APKINDEX.tar.gz (md5 iirc) so it is
fully possible and pretty simple to implement checking the static
binary.

I don't think it provide much value though, because both the APKINDEX
and the tarball containing the static binary comes from the same http
server so it would not protect against bad binaries on a DNS hijack for
example. (the attacker could just store the checksum for his evil static
binary).


-nc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130518/0fa1c705/attachment.pgp>


More information about the lxc-devel mailing list