Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

restrict apt-get

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
warmup031
Posts: 3
Joined: 2018-01-27 06:32

restrict apt-get

#1 Post by warmup031 »

Hello,

I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?

Thank you for your help.

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

#2 Post by Thorny »

warmup031 wrote:I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?
This seems odd, why would you choose to have root users that you cannot trust?

I've never had ocassion to try anything like what you detail but maybe you can make them sudoers and restrict them to the specific commands you want them to have in that manner. Maybe they don't have to have full root access.

Read the manual for sudo and see if you can find what you want.

warmup031
Posts: 3
Joined: 2018-01-27 06:32

Re: restrict apt-get

#3 Post by warmup031 »

Hello Thorny,

Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: restrict apt-get

#4 Post by stevepusser »

warmup031 wrote:Hello Thorny,

Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
Why not change the root password if you suspect it's compromised? Do you have to give it to users that you think might abuse it? Sudo is your answer for those, then.
MX Linux packager and developer

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: restrict apt-get

#5 Post by steve_v »

As stevepusser suggests, the solution is to never give out the root password and set up sudo for those who need limited root powers.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: restrict apt-get

#6 Post by debiman »

warmup031 wrote:Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
One of the keys to our lock was stolen.
Instead of changing the lock, we need to install a second lock.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: restrict apt-get

#7 Post by dryden »

I don't think he is talking about hackers but more like "fellow sys admins".

In many organisations every member of the team has access to certain root passwords.

But the problem in Linux is that it's very difficult to introduce intermediate users for anything.

The group system is primitive and barely used, almost everything is owned by root, some software will not start when it sees group has rights out of "security" concerns when the owner is root:root, so you also cannot really use the root group for anything either.

Because most stuff runs as root, or many scripts do, giving people access to files executed by root is immediately a security risk, creating a chicken and egg problem to introducing more intermediate users.

Even creating a backup user is difficult unless you use setfacl, because on an ordinary system there can be many files protected from prying eyes and using the ordinary owner/group system you cannot really create a backup user.

I mean you have to meticulously design...

So my point is not that root should not have access to apt-get, but it's difficult to create semi-roots that can still do *some* tasks.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: restrict apt-get

#8 Post by debiman »

dryden wrote:I don't think he is talking about hackers but more like "fellow sys admins".
we did understand that , too.
The group system is primitive and barely used, almost everything is owned by root
in its default setup maybe.
but sudo can do a LOT LOT LOT more than that.
people get paid to set these things up in a multiuser/mulitmachine network, and i bet additional software exists to help along with it.

in any case, we shouldn't guess but see what OP has to say for themselves.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: restrict apt-get

#9 Post by dryden »

Well I wouldn't mind learning more about that.

And maybe I shouldn't assume ignorance on behalf of others.

I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.

But there's no reason to be cynical or testy when it's a legitimate problem ;-).

I mean, sudo would in effect be a secondary lock.

I mean to say, I would love to learn about such models.

I think some Unix vendors do have their own priviledges system.

(I cannot watch the YouTube on my current link unless I download it first).

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

#10 Post by Thorny »

dryden wrote:Well I wouldn't mind learning more about that.
Well, you know how to do that, eh?
dryden wrote:And maybe I shouldn't assume ignorance on behalf of others.
Absolutely! I agree.
dryden wrote:I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.
Irrelevant.
Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common
dryden wrote:But there's no reason to be cynical or testy when it's a legitimate problem ;-).
I didn't read it that way. I just think he was being correct.
dryden wrote:(I cannot watch the YouTube on my current link unless I download it first).
Youtube is not the ultimate source of knowledge. ;-)

By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.

[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: restrict apt-get

#11 Post by Head_on_a_Stick »

AppArmor may be able to do what you want:

https://wiki.debian.org/AppArmor/HowToUse

Or perhaps try SELinux:

https://wiki.debian.org/SELinux/Setup

It's a _lot_ more complicated than AppArmor but it is a fully-fledged MAC framework.
deadbang

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

#12 Post by Thorny »

I think your advice is good H_o_a_S.
However, I'm starting to think that the OP doesn't care any longer, doesn't appear to have revisited.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: restrict apt-get

#13 Post by dryden »

Thorny wrote:
dryden wrote:Well I wouldn't mind learning more about that.
Well, you know how to do that, eh?
No actually I have already been googling around for that.
Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common
That's not my point, that implies one would have to develop an entire system around that first.

Particularly, you cannot then give anyone shell access using sudo.

You are then left with the task of identifying all limited tasks one would be allowed to perform out of the sea of millions of things you can do, but you wouldn't have access to:

- sudo chown
- sudo chmod
- sudo vi
- sudo rm

And so on, no the tasks would have to become much more higher level, such as "restart apache".

It's a monumental task where it would be a lot easier if you can look at the work of others to see what kind of best practices or whatever they've come up with, or even systems designed this way.
I didn't read it that way. I just think he was being correct.
Never mind, just a bit of sarcasm when the proposed solution (sudo) is as much a second lock as the other solution (limit apt-get) that was ridiculed.

In fact you could encrypt the apt-get binary and decrypt it using another password before execution.

Then all you need is a wrapper that will do this.

Not a real protection but more policy.
Youtube is not the ultimate source of knowledge. ;-)
Was only saying that to explain.
By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.
This is the reason I was able to say anything about other Unix system in any case, but ready-made systems for other Unixes are not very usable for Linux and also don't tell you much about the models or designs you could have.
[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?
The remark about assuming ignorance on behalf of others comes to mind ;-).

I am not talking about the primitive tools, but designs of models.

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

#14 Post by Thorny »

dryden wrote:The remark about assuming ignorance on behalf of others comes to mind ;-).
I speak plainly (write) and generally mean things literally, rarely use sarcasm and rarely mean to insult.

On the Internet it is usually a good idea to develop a "thick skin", not find insults too often.

Peace dude!

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: restrict apt-get

#15 Post by dryden »

Hmm indeed it is hard for me to understand that you would not have meant that sarcastically.

(Particularly as every Debian system or any other system unless you are speaking some NAS) would have those manual pages installed indeed.

Oh I have a thick skin. But overall I think my mental health goes down from being too much around programmer types and not enough around ordinary people (or pleasant people in general) as I'm probably starting to internalize the harsh, critical voices you so often come across.

There is often very little... affirmative voices or appreciation to be found.

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

#16 Post by Thorny »

Okay, I think I understand you.

I'm high functioning autistic, we generally mean things literally.

Now, I will STFU and let you have the last word if that is what you desire.

dryden
Posts: 80
Joined: 2015-02-04 08:54

Re: restrict apt-get

#17 Post by dryden »

You are putting me in a difficult tie.

I don't care about having the last word, but I would have to prove that by not responding, which is not very nice.

Well enough about the banter, but thank you for the kind response in any case. (You can respond all you want).

Post Reply