[sudo-users] sudo & apt-get
syberghost at gmail.com
Mon Jul 13 05:43:21 MDT 2015
On Mon, Jul 13, 2015 at 6:59 AM, Tim Bradshaw <tfb at tfeb.org> wrote:
> On 11 Jul 2015, at 23:29, Todd C. Miller <Todd.Miller at courtesan.com>
> > You are worrying about the wrong thing, IMHO. If you are installing
> > untrusted packages, those packages contain scripts that run as root
> > (preinstall, postinstal, etc). That's the place to put nasty stuff
> > if you are going to do it.
> This is the answer. Even if those packages don't run bad scripts, they
> install potentially arbitrary files, as root. Installing a package you
> don't know the provenance of is essentially saying you don't care that much
> about security (which is a fine choice to make, but it is a choice).
> The only even slightly safe solution to this is signed packages and a
> hairy trust system. I get the impression that a lot of platforms either do
> this or nearly do it now (although in at least some cases (Apple, I'm
> looking at you) some of this security is pretty theatrical).
A naive approach that usually eventually occurs to people trying to do this
is to set NOPASSWD entries first, and then follow it up with PASSWD entries
for the commands one wants always prompted. This is of limited utility, and
trivially bypassed. It's even pretty easy to accidentally bypass, since it
depends on the order in which rules are encountered at runtime; you can
make a seemingly trivial change, and then realize you've defeated your
PASSWD entry for months.
More information about the sudo-users