google-cloud-sdk: supply-chain security lapses

Question

google-cloud-sdk: supply-chain security lapses

jreiser opened this issue a year ago · 0 comments

Installing Google Cloud SDK on Linux according to the directions on https://cloud.google.com/sdk/docs/install reveals supply-chain security lapses in the building and distribution.

$ tar tvf google-cloud-cli-458.0.1-linux-x86_64.tar.gz  |  sed 5q
drwxr-xr-x root/root         0 1980-01-01 00:00 google-cloud-sdk/.install/.download/
-rw-r--r-- root/root        91 1980-01-01 00:00 google-cloud-sdk/.install/anthoscli-linux-x86_64.manifest
-rw-r--r-- root/root       995 1980-01-01 00:00 google-cloud-sdk/.install/anthoscli-linux-x86_64.snapshot.json
-rw-r--r-- root/root         0 1980-01-01 00:00 google-cloud-sdk/.install/anthoscli.manifest
-rw-r--r-- root/root      1121 1980-01-01 00:00 google-cloud-sdk/.install/anthoscli.snapshot.json

The root/root ownership is a supply-chain security lapse because building and/or distributing as root offers the possibility of unnecessary access to an intruder. Never build as root with superuser privileges. Always use a user and group with ordinary non-privileged access permissions. Call the names GCloudBuilder/GCloudGroup, or something. And yes, the password should be secure and rotated monthly or quarterly.

The use of 1980-01-01 00:00 as date+time also is a security lapse. Actual date+time of build is important information in tracking installation history, including during and after an intrusion, as well as for identifying ordinary updated release versions.