.. Open Infrastructure: service-tools .. Copyright (C) 2014-2024 Daniel Baumann .. .. SPDX-License-Identifier: GPL-3.0+ .. .. This program is free software: you can redistribute it and/or modify .. it under the terms of the GNU General Public License as published by .. the Free Software Foundation, either version 3 of the License, or .. (at your option) any later version. .. .. This program is distributed in the hope that it will be useful, .. but WITHOUT ANY WARRANTY; without even the implied warranty of .. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .. GNU General Public License for more details. .. .. You should have received a copy of the GNU General Public License .. along with this program. If not, see . =========== apt-install =========== ------------------------------------------------------------------------ securely allow unprivileged users to install packages via apt using sudo ------------------------------------------------------------------------ :manual section: 1 :manual group: Open Infrastructure Synopsis ======== | **sudo apt-install** PACKAGE | **sudo apt-install** PACKAGE1 PACKAGE2 ... Description =========== **apt-install** securely allows unprivileged users to install packages via apt using sudo. Some background information =========================== | **Use case** | On managed systems by a group of system administrators, it would be nice to allow | unprivileged users to install the packages they like from the pre-configured | Debian repositories. | | **Unsecure via sudo** | Traditionally this has been done by granting the unprivileged users to run | sudo with e.g.: | "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get" | (see sudoers(5) for information about sudoers, the configuration file for sudo). | | **Using local apt configuration** | Using sudo as above allows for custom apt options to be passed as arguments, e.g.: | sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh" | | Or refering to local apt configuration file: | sudo APT_CONFIG=~/apt.conf apt update | | **Installing local debian packages** | Unfortunatly this allows to not just install packages from the repositories, | but also to install local packages: | sudo apt install ./root-shell.deb | | Creating a Debian package that contains a wrapper for a root shell or invokes | a shell as root during within the maintainer scripts is left to the reader, | however, there's a example available here: | https://git.open-infrastructure.net/software/root-shell/ | **Using wrapper scripts for apt install and apt remove** | The apt-install and apt-remove wrapper drop parameters as well as file and path | arguments to ensure only packages from the configured Debian repositories can be | installed. sudo configuration ================== | Users can be granted sudo rights for apt-install and apt-remove via sudoers(5): | "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove" | It might make sense to also allow unprivileged users to allow updating the system: | "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade" Warning ======= | Granting users local access to a system is always a security risk. | Giving local users the ability to install packages even more so. | While the apt-install and apt-remove wrappers do prevent installing malicious packages, | bugs in any of the packages within the configured Debian repositories can be exploited. See also ======== | apt(8), | sudo(8), | sudoers(5) Homepage ======== More information about service-tools and the Open Infrastructure project can be found on the homepage (https://open-infrastructure.net). Contact ======= Bug reports, feature requests, help, patches, support and everything else are welcome on the Open Infrastructure Software Mailing List . Debian specific bugs can also be reported in the Debian Bug Tracking System (https://bugs.debian.org). Authors ======= service-tools were written by Daniel Baumann and others.