diff options
Diffstat (limited to 'apt/share/man/apt-install.1.rst')
| -rw-r--r-- | apt/share/man/apt-install.1.rst | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/apt/share/man/apt-install.1.rst b/apt/share/man/apt-install.1.rst new file mode 100644 index 0000000..f446ea9 --- /dev/null +++ b/apt/share/man/apt-install.1.rst @@ -0,0 +1,123 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=========== +apt-install +=========== + +------------------------------------------------------------------------ +securely allow unprivileged users to install packages via apt using sudo +------------------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **sudo apt-install** PACKAGE +| **sudo apt-install** PACKAGE1 PACKAGE2 ... + +Description +=========== + +**apt-install** securely allows unprivileged users to install packages via apt using sudo. + +Some background information +=========================== + +| **Use case** +| On managed systems by a group of system administrators, it would be nice to allow +| unprivileged users to install the packages they like from the pre-configured +| Debian repositories. +| +| **Unsecure via sudo** +| Traditionally this has been done by granting the unprivileged users to run +| sudo with e.g.: +| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get" +| (see sudoers(5) for information about sudoers, the configuration file for sudo). +| +| **Using local apt configuration** +| Using sudo as above allows for custom apt options to be passed as arguments, e.g.: +| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh" +| +| Or refering to local apt configuration file: +| sudo APT_CONFIG=~/apt.conf apt update +| +| **Installing local debian packages** +| Unfortunatly this allows to not just install packages from the repositories, +| but also to install local packages: +| sudo apt install ./root-shell.deb +| +| Creating a Debian package that contains a wrapper for a root shell or invokes +| a shell as root during within the maintainer scripts is left to the reader, +| however, there's a example available here: +| https://git.open-infrastructure.net/software/root-shell/ + +| **Using wrapper scripts for apt install and apt remove** +| The apt-install and apt-remove wrapper drop parameters as well as file and path +| arguments to ensure only packages from the configured Debian repositories can be +| installed. + +sudo configuration +================== + +| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5): +| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove" + +| It might make sense to also allow unprivileged users to allow updating the system: +| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade" + +Warning +======= + +| Granting users local access to a system is always a security risk. +| Giving local users the ability to install packages even more so. + +| While the apt-install and apt-remove wrappers do prevent installing malicious packages, +| bugs in any of the packages within the configured Debian repositories can be exploited. + +See also +======== + +| apt(8), +| sudo(8), +| sudoers(5) + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. |