On Thu, Aug 12, 2021 at 08:35:42AM -0400, Kyle Edwards wrote: > > > > I just ran across this article > > > > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested > > > > the attacks on Debian 11 and they work successfully giving me a root > > > > shell prompt. > > > I don't think calling this "privilege escalation" or "attack" is correct. > > > The premise of the post is "the user should not be a root/admin user but > > > has been assigned sudo permissions to run the package manager" and one > > > doesn't really need a long article to prove that it's not secure. > > I think the article is interesting nonetheless. Some people may think > > that granting sudo on apt is OK. In the past, I think "apt install > > ./something.deb" was not possible. > Random thought: could it be possible to restrict non-sudo users to > installing packages from repos that are signed by a GPG key that is already > trusted by the system (the Debian archive key)? Via some wrapper maybe? But at that point just use PackageKit?
> That way this attack could not be carried out. Only the one that relies on package content, while there are more ways to ask apt to run a process, as listed in the article and in this thread. > Then add a Unix group that allows apt installation from > trusted repos, make apt setuid Please don't. -- WBR, wRAR
signature.asc
Description: PGP signature
