7

Usually we place things in /opt so they are owned by root but normal users can execute them. This prevents normal users modifying the binaries so they cannot execute arbitrary stuff. However, to put things there using sudo unzip something.zip -d /opt is a little bit dangerous as an exploit in unzip could then do anything with sudo capabilities. I created a temp folder instead and then extract there and sudo mv folder /opt, is this the safest solution?

from

RUN curl -sSL "${GRADLE_SDK_URL}" -o gradle.zip \
    && echo "${GRADLE_ZIP_SHA256_HASH} *gradle.zip" | shasum -a 256 --check \
    && sudo unzip gradle.zip -d /opt  \
    && rm -rf $TEMPD \
    && rm -rf gradle.zip

to

RUN curl -sSL "${GRADLE_SDK_URL}" -o gradle.zip \
    && echo "${GRADLE_ZIP_SHA256_HASH} *gradle.zip" | shasum -a 256 --check \
    && TEMPD=$(mktemp -d) \
    && unzip gradle.zip -d ${TEMPD}  \
    && sudo mv ${TEMPD} /opt \
    && rm -rf $TEMPD \
    && rm -rf gradle.zip
psmears
  • 900
  • 7
  • 9
Guerlando OCs
  • 405
  • 4
  • 14
  • BTW you could unzip it in a build container and then copy the expanded directory in a staged build. But I think in any case the file is trusted and checksumed, there is not really a big risk. – eckes Apr 24 '22 at 19:55
  • Do you need to change the ownership of the files to `root`? Currently they'll be owned by the user running the command, and `mv` to `/opt` won't change the ownership... – psmears Apr 25 '22 at 10:07

2 Answers2

10

Yes, it is safer to run unzip without root permissions and then move the extracted contents to their final destination. However, if you suspect that the file which you are providing to unzip is malicious or has been tampered with, then it may still be a serious security issue if you plan to run the files in /opt with root privileges. Additionally, there is the possibility that a malicious process running with the same privileges as curl could modify the files in the temporary directory after they have been written to but before they are moved to a system directory and owned by root.

Note that verifying the hash, even if it's a cryptographic hash, does not provide protection against malicious tampering if it is distributed through the same channel that the data is. Instead, you should verify the digital signature. Unfortunately, I don't think Gradle uses digital signatures, just hashes.

forest
  • 64,616
  • 20
  • 206
  • 257
1

I assume that the source and content of the zip archive are trusted enough.

mv is part of the standard utils. These are old and well tested. They also don't change much. If you look at the list of vulnerabilities of mv or util-linux or whatever flavour you have, you will see very few vulnerabilities. It is also a small, simple program.

unzip is quite error-free lately, but there have been quite a number of vulnerabilities (DoS, Exec Code Overflow, +Priv, Dir. Trav. etc.). Furthermore unzip is more complex than mv.

Based on that, I would say that the unzip unprivileged locally and the mv as root after that is more secure.

Ljm Dullaart
  • 1,897
  • 4
  • 11