Philipp Kern <pk...@debian.org> writes: > You know that this is a bad idea (granting sudo to apt without a > wrapper). I know that this is a bad idea. That was my point. Plus that > this is a very common trope in multi-user settings that you want to hand > out some privilege to install packages.
Right, but this is a sudo problem, not an apt problem (which I suspect you agree with, but I think it's important to make it clear). sudo makes it very convenient to give direct access to regular tools and this is almost always a mistake. As you say, that's been long-standing sysadmin lore that arguably even predates sudo and goes back to limited setuid shells and other tricks. If you want to give people escalated privilege to run a thing, that thing should be a custom-written wrapper that does only one thing and only does the thing that you want to let them do, not a general tool that may have other options or may change later. And ideally you do it via an RPC because setuid programs in UNIX are a giant pile of foot-guns. Otherwise, just be aware that you're basically trusting them with root with slightly better logging and don't rely too much on the security boundary. I think it's in some ways unfortunate that sudo has become so popular because it makes this mistake so easy and so common. I have found privilege escalation vulnerabilities in almost every non-trivial sudo configuration that I've looked at, not due to some bug in sudo but due to bugs in the understanding of sudo and what it can and can't do by the people writing the configuration. It is *extremely hard* to configure sudo correctly in anything other than "logged access to root" mode. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>