• Max Rees's avatar
    abuild-sudo: don't allow --keys-dir · 297de93a
    Max Rees authored
    Not allowing --allow-untrusted is obviously a good idea, but it can be
    trivially bypassed if --keys-dir is allowed:
    
    $ abuild-apk add foo-1-r0.apk
    ERROR: foo-1-r0.apk: UNTRUSTED signature
    $ abuild-apk --allow-untrusted add foo-1-r0.apk
    abuild-apk: --allow-untrusted: not allowed option
    $ cp -rp /etc/apk/keys /tmp/keys
    $ cp untrusted.pub /tmp/keys
    $ abuild-apk --keys-dir /tmp/keys add foo-1-r0.apk
    (1/1) Installing foo (1-r0)
    OK: 4319 MiB in 806 packages
    
    If both --allow-untrusted and --keys-dir are not allowed, then it should
    no longer be possible for an unprivileged member of the abuild group to
    add an untrusted package.
    
    $ abuild-apk --keys-dir /tmp/keys add foo-1-r0.apk
    abuild-apk: --keys-dir: not allowed option
    297de93a