Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
restrict apt-get
restrict apt-get
Hello,
I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?
Thank you for your help.
I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?
Thank you for your help.
Re: restrict apt-get
This seems odd, why would you choose to have root users that you cannot trust?warmup031 wrote:I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?
I've never had ocassion to try anything like what you detail but maybe you can make them sudoers and restrict them to the specific commands you want them to have in that manner. Maybe they don't have to have full root access.
Read the manual for sudo and see if you can find what you want.
Re: restrict apt-get
Hello Thorny,
Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: restrict apt-get
Why not change the root password if you suspect it's compromised? Do you have to give it to users that you think might abuse it? Sudo is your answer for those, then.warmup031 wrote:Hello Thorny,
Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
MX Linux packager and developer
-
- df -h | grep > 20TiB
- Posts: 1400
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 79 times
- Been thanked: 175 times
Re: restrict apt-get
As stevepusser suggests, the solution is to never give out the root password and set up sudo for those who need limited root powers.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: restrict apt-get
warmup031 wrote:Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
One of the keys to our lock was stolen.
Instead of changing the lock, we need to install a second lock.
Re: restrict apt-get
I don't think he is talking about hackers but more like "fellow sys admins".
In many organisations every member of the team has access to certain root passwords.
But the problem in Linux is that it's very difficult to introduce intermediate users for anything.
The group system is primitive and barely used, almost everything is owned by root, some software will not start when it sees group has rights out of "security" concerns when the owner is root:root, so you also cannot really use the root group for anything either.
Because most stuff runs as root, or many scripts do, giving people access to files executed by root is immediately a security risk, creating a chicken and egg problem to introducing more intermediate users.
Even creating a backup user is difficult unless you use setfacl, because on an ordinary system there can be many files protected from prying eyes and using the ordinary owner/group system you cannot really create a backup user.
I mean you have to meticulously design...
So my point is not that root should not have access to apt-get, but it's difficult to create semi-roots that can still do *some* tasks.
In many organisations every member of the team has access to certain root passwords.
But the problem in Linux is that it's very difficult to introduce intermediate users for anything.
The group system is primitive and barely used, almost everything is owned by root, some software will not start when it sees group has rights out of "security" concerns when the owner is root:root, so you also cannot really use the root group for anything either.
Because most stuff runs as root, or many scripts do, giving people access to files executed by root is immediately a security risk, creating a chicken and egg problem to introducing more intermediate users.
Even creating a backup user is difficult unless you use setfacl, because on an ordinary system there can be many files protected from prying eyes and using the ordinary owner/group system you cannot really create a backup user.
I mean you have to meticulously design...
So my point is not that root should not have access to apt-get, but it's difficult to create semi-roots that can still do *some* tasks.
Re: restrict apt-get
we did understand that , too.dryden wrote:I don't think he is talking about hackers but more like "fellow sys admins".
in its default setup maybe.The group system is primitive and barely used, almost everything is owned by root
but sudo can do a LOT LOT LOT more than that.
people get paid to set these things up in a multiuser/mulitmachine network, and i bet additional software exists to help along with it.
in any case, we shouldn't guess but see what OP has to say for themselves.
Re: restrict apt-get
Well I wouldn't mind learning more about that.
And maybe I shouldn't assume ignorance on behalf of others.
I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.
But there's no reason to be cynical or testy when it's a legitimate problem .
I mean, sudo would in effect be a secondary lock.
I mean to say, I would love to learn about such models.
I think some Unix vendors do have their own priviledges system.
(I cannot watch the YouTube on my current link unless I download it first).
And maybe I shouldn't assume ignorance on behalf of others.
I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.
But there's no reason to be cynical or testy when it's a legitimate problem .
I mean, sudo would in effect be a secondary lock.
I mean to say, I would love to learn about such models.
I think some Unix vendors do have their own priviledges system.
(I cannot watch the YouTube on my current link unless I download it first).
Re: restrict apt-get
Well, you know how to do that, eh?dryden wrote:Well I wouldn't mind learning more about that.
Absolutely! I agree.dryden wrote:And maybe I shouldn't assume ignorance on behalf of others.
Irrelevant.dryden wrote:I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.
Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common
I didn't read it that way. I just think he was being correct.dryden wrote:But there's no reason to be cynical or testy when it's a legitimate problem .
Youtube is not the ultimate source of knowledge.dryden wrote:(I cannot watch the YouTube on my current link unless I download it first).
By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.
[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: restrict apt-get
AppArmor may be able to do what you want:
https://wiki.debian.org/AppArmor/HowToUse
Or perhaps try SELinux:
https://wiki.debian.org/SELinux/Setup
It's a _lot_ more complicated than AppArmor but it is a fully-fledged MAC framework.
https://wiki.debian.org/AppArmor/HowToUse
Or perhaps try SELinux:
https://wiki.debian.org/SELinux/Setup
It's a _lot_ more complicated than AppArmor but it is a fully-fledged MAC framework.
deadbang
Re: restrict apt-get
I think your advice is good H_o_a_S.
However, I'm starting to think that the OP doesn't care any longer, doesn't appear to have revisited.
However, I'm starting to think that the OP doesn't care any longer, doesn't appear to have revisited.
Re: restrict apt-get
No actually I have already been googling around for that.Thorny wrote:Well, you know how to do that, eh?dryden wrote:Well I wouldn't mind learning more about that.
That's not my point, that implies one would have to develop an entire system around that first.Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common
Particularly, you cannot then give anyone shell access using sudo.
You are then left with the task of identifying all limited tasks one would be allowed to perform out of the sea of millions of things you can do, but you wouldn't have access to:
- sudo chown
- sudo chmod
- sudo vi
- sudo rm
And so on, no the tasks would have to become much more higher level, such as "restart apache".
It's a monumental task where it would be a lot easier if you can look at the work of others to see what kind of best practices or whatever they've come up with, or even systems designed this way.
Never mind, just a bit of sarcasm when the proposed solution (sudo) is as much a second lock as the other solution (limit apt-get) that was ridiculed.I didn't read it that way. I just think he was being correct.
In fact you could encrypt the apt-get binary and decrypt it using another password before execution.
Then all you need is a wrapper that will do this.
Not a real protection but more policy.
Was only saying that to explain.Youtube is not the ultimate source of knowledge.
This is the reason I was able to say anything about other Unix system in any case, but ready-made systems for other Unixes are not very usable for Linux and also don't tell you much about the models or designs you could have.By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.
The remark about assuming ignorance on behalf of others comes to mind .[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?
I am not talking about the primitive tools, but designs of models.
Re: restrict apt-get
I speak plainly (write) and generally mean things literally, rarely use sarcasm and rarely mean to insult.dryden wrote:The remark about assuming ignorance on behalf of others comes to mind .
On the Internet it is usually a good idea to develop a "thick skin", not find insults too often.
Peace dude!
Re: restrict apt-get
Hmm indeed it is hard for me to understand that you would not have meant that sarcastically.
(Particularly as every Debian system or any other system unless you are speaking some NAS) would have those manual pages installed indeed.
Oh I have a thick skin. But overall I think my mental health goes down from being too much around programmer types and not enough around ordinary people (or pleasant people in general) as I'm probably starting to internalize the harsh, critical voices you so often come across.
There is often very little... affirmative voices or appreciation to be found.
(Particularly as every Debian system or any other system unless you are speaking some NAS) would have those manual pages installed indeed.
Oh I have a thick skin. But overall I think my mental health goes down from being too much around programmer types and not enough around ordinary people (or pleasant people in general) as I'm probably starting to internalize the harsh, critical voices you so often come across.
There is often very little... affirmative voices or appreciation to be found.
Re: restrict apt-get
Okay, I think I understand you.
I'm high functioning autistic, we generally mean things literally.
Now, I will STFU and let you have the last word if that is what you desire.
I'm high functioning autistic, we generally mean things literally.
Now, I will STFU and let you have the last word if that is what you desire.
Re: restrict apt-get
You are putting me in a difficult tie.
I don't care about having the last word, but I would have to prove that by not responding, which is not very nice.
Well enough about the banter, but thank you for the kind response in any case. (You can respond all you want).
I don't care about having the last word, but I would have to prove that by not responding, which is not very nice.
Well enough about the banter, but thank you for the kind response in any case. (You can respond all you want).