1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
.. Open Infrastructure: service-tools
.. Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
..
.. SPDX-License-Identifier: GPL-3.0+
..
.. This program is free software: you can redistribute it and/or modify
.. it under the terms of the GNU General Public License as published by
.. the Free Software Foundation, either version 3 of the License, or
.. (at your option) any later version.
..
.. This program is distributed in the hope that it will be useful,
.. but WITHOUT ANY WARRANTY; without even the implied warranty of
.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.. GNU General Public License for more details.
..
.. You should have received a copy of the GNU General Public License
.. along with this program. If not, see <https://www.gnu.org/licenses/>.
===========
apt-install
===========
------------------------------------------------------------------------
securely allow unprivileged users to install packages via apt using sudo
------------------------------------------------------------------------
:manual section: 1
:manual group: Open Infrastructure
Synopsis
========
| **sudo apt-install** PACKAGE
| **sudo apt-install** PACKAGE1 PACKAGE2 ...
Description
===========
**apt-install** securely allows unprivileged users to install packages via apt using sudo.
Some background information
===========================
| **Use case**
| On managed systems by a group of system administrators, it would be nice to allow
| unprivileged users to install the packages they like from the pre-configured
| Debian repositories.
|
| **Unsecure via sudo**
| Traditionally this has been done by granting the unprivileged users to run
| sudo with e.g.:
| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get"
| (see sudoers(5) for information about sudoers, the configuration file for sudo).
|
| **Using local apt configuration**
| Using sudo as above allows for custom apt options to be passed as arguments, e.g.:
| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh"
|
| Or refering to local apt configuration file:
| sudo APT_CONFIG=~/apt.conf apt update
|
| **Installing local debian packages**
| Unfortunatly this allows to not just install packages from the repositories,
| but also to install local packages:
| sudo apt install ./root-shell.deb
|
| Creating a Debian package that contains a wrapper for a root shell or invokes
| a shell as root during within the maintainer scripts is left to the reader,
| however, there's a example available here:
| https://git.open-infrastructure.net/software/root-shell/
| **Using wrapper scripts for apt install and apt remove**
| The apt-install and apt-remove wrapper drop parameters as well as file and path
| arguments to ensure only packages from the configured Debian repositories can be
| installed.
sudo configuration
==================
| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5):
| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove"
| It might make sense to also allow unprivileged users to allow updating the system:
| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade"
Warning
=======
| Granting users local access to a system is always a security risk.
| Giving local users the ability to install packages even more so.
| While the apt-install and apt-remove wrappers do prevent installing malicious packages,
| bugs in any of the packages within the configured Debian repositories can be exploited.
See also
========
| apt(8),
| sudo(8),
| sudoers(5)
Homepage
========
More information about service-tools and the Open Infrastructure project can be
found on the homepage (https://open-infrastructure.net).
Contact
=======
Bug reports, feature requests, help, patches, support and everything else are
welcome on the Open Infrastructure Software Mailing List
<software@lists.open-infrastructure.net>.
Debian specific bugs can also be reported in the Debian Bug Tracking System
(https://bugs.debian.org).
Authors
=======
service-tools were written by Daniel Baumann
<daniel.baumann@open-infrastructure.net> and others.
|