[lxc-devel] [PATCH] lxc-alpine: download statically compiled package manager if not available on host
Michael H. Warfield
mhw at WittsEnd.com
Sat May 18 20:08:12 UTC 2013
On Sat, 2013-05-18 at 21:13 +0200, Natanael Copa wrote:
> On Fri, 17 May 2013 12:04:01 -0400
> "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
>
> > On Fri, 2013-05-17 at 09:24 -0500, Serge Hallyn wrote:
> > > Quoting Kaarle Ritvanen (kaarle.ritvanen at datakunkku.fi):
> > > > On Thu, 16 May 2013, Natanael Copa wrote:
> > > >
> > > > >On Wed, 15 May 2013 13:10:06 -0500
> > > > >Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > > > >
> > > > >>Quoting Kaarle Ritvanen (kaarle.ritvanen at datakunkku.fi):
> > > > >>...
> > > > >>>+ wget="wget -O - $repository/x86"
> > > > >>..
> > > > >>>+ $wget/apk-tools-static-$apk_version.apk | \
> > > > >>>+ tar -Oxz sbin/apk.static > $apk || return 1
> > > > >>>+ chmod u+x $apk
>
> ...
>
> > > > >>>+ $apk add -U --initdb --root $rootfs $apk_opts "$@"
>
> ...
>
> > > It's the 'wget $url | /bin/sh' that, not the apk --allow-untrusted,
> > > that really bothers me.
>
> ...
>
> > As a security researcher (my day job), I have to say, now that you
> > specifically pointed it out, that makes the hair on the back of my
> > neck stand up. Even if we only allow a well controlled URL we're
> > requesting, the thought of blindly piping the data returned into a
> > shell scares the crap out of me,
>
> He pipes it to tar, not to a shell.
>
> > especially since this would presumably be running as root.
>
> Running unverified static binaries as root is scary yes.
>
> > If there was some way to download it
> > to a file and verify its contents (md5, sha1, sha256 or -preferably-
> > PGP signature) BEFORE sending it into a shell, that would make me
> > feel a lot more comfortable.
>
> There is a checksum stored in the APKINDEX.tar.gz (md5 iirc) so it is
> fully possible and pretty simple to implement checking the static
> binary.
> I don't think it provide much value though, because both the APKINDEX
> and the tarball containing the static binary comes from the same http
> server so it would not protect against bad binaries on a DNS hijack for
> example. (the attacker could just store the checksum for his evil static
> binary).
Correct. Which is why I said "preferably PGP signed". An attacker can
not fake that.
> -nc
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130518/85d5d66c/attachment.pgp>
More information about the lxc-devel
mailing list