summaryrefslogtreecommitdiffstats
path: root/apt/share/man/apt-install.1.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2023-02-19 11:31:26 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2023-02-19 12:23:06 +0000
commitf0837147f4963a85132f0fd51845756ce45d1ecc (patch)
treee892e20df021d8db9dc69df162448c0aff00b0f3 /apt/share/man/apt-install.1.rst
parentCompletely stop and start apache in dehydrated hook to ensure OCSP renewals. (diff)
downloadservice-tools-f0837147f4963a85132f0fd51845756ce45d1ecc.tar.xz
service-tools-f0837147f4963a85132f0fd51845756ce45d1ecc.zip
Adding apt tools.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rw-r--r--apt/share/man/apt-install.1.rst123
1 files changed, 123 insertions, 0 deletions
diff --git a/apt/share/man/apt-install.1.rst b/apt/share/man/apt-install.1.rst
new file mode 100644
index 0000000..f446ea9
--- /dev/null
+++ b/apt/share/man/apt-install.1.rst
@@ -0,0 +1,123 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===========
+apt-install
+===========
+
+------------------------------------------------------------------------
+securely allow unprivileged users to install packages via apt using sudo
+------------------------------------------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **sudo apt-install** PACKAGE
+| **sudo apt-install** PACKAGE1 PACKAGE2 ...
+
+Description
+===========
+
+**apt-install** securely allows unprivileged users to install packages via apt using sudo.
+
+Some background information
+===========================
+
+| **Use case**
+| On managed systems by a group of system administrators, it would be nice to allow
+| unprivileged users to install the packages they like from the pre-configured
+| Debian repositories.
+|
+| **Unsecure via sudo**
+| Traditionally this has been done by granting the unprivileged users to run
+| sudo with e.g.:
+| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get"
+| (see sudoers(5) for information about sudoers, the configuration file for sudo).
+|
+| **Using local apt configuration**
+| Using sudo as above allows for custom apt options to be passed as arguments, e.g.:
+| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh"
+|
+| Or refering to local apt configuration file:
+| sudo APT_CONFIG=~/apt.conf apt update
+|
+| **Installing local debian packages**
+| Unfortunatly this allows to not just install packages from the repositories,
+| but also to install local packages:
+| sudo apt install ./root-shell.deb
+|
+| Creating a Debian package that contains a wrapper for a root shell or invokes
+| a shell as root during within the maintainer scripts is left to the reader,
+| however, there's a example available here:
+| https://git.open-infrastructure.net/software/root-shell/
+
+| **Using wrapper scripts for apt install and apt remove**
+| The apt-install and apt-remove wrapper drop parameters as well as file and path
+| arguments to ensure only packages from the configured Debian repositories can be
+| installed.
+
+sudo configuration
+==================
+
+| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5):
+| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove"
+
+| It might make sense to also allow unprivileged users to allow updating the system:
+| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade"
+
+Warning
+=======
+
+| Granting users local access to a system is always a security risk.
+| Giving local users the ability to install packages even more so.
+
+| While the apt-install and apt-remove wrappers do prevent installing malicious packages,
+| bugs in any of the packages within the configured Debian repositories can be exploited.
+
+See also
+========
+
+| apt(8),
+| sudo(8),
+| sudoers(5)
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.