restrict apt-get

Help with issues regarding installation of Debian

restrict apt-get

Postby warmup031 » 2018-01-27 06:40

Hello,

I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?

Thank you for your help.
warmup031
 
Posts: 3
Joined: 2018-01-27 06:32

Re: restrict apt-get

Postby Thorny » 2018-01-27 09:33

warmup031 wrote:I would like to know if there is a way to protect apt-get (install/remove/purge/etc...) to root users. I would like to add another protection like two autentication factor for this command,
or another solution so that admin root user could not apt-get install any packages whenever they need (or with another challenge sentence a part from root password) to add a specific package and remove it after it has been used ?

This seems odd, why would you choose to have root users that you cannot trust?

I've never had ocassion to try anything like what you detail but maybe you can make them sudoers and restrict them to the specific commands you want them to have in that manner. Maybe they don't have to have full root access.

Read the manual for sudo and see if you can find what you want.
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

Postby warmup031 » 2018-02-02 18:14

Hello Thorny,

Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one
warmup031
 
Posts: 3
Joined: 2018-01-27 06:32

Re: restrict apt-get

Postby stevepusser » 2018-02-02 18:22

warmup031 wrote:Hello Thorny,

Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one


Why not change the root password if you suspect it's compromised? Do you have to give it to users that you think might abuse it? Sudo is your answer for those, then.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10, Pale Moon 27.9.1, Enlightenment 0.22, Calligra 3.1, VLC 3.0.2, Firefox 60.0, Krita 4.0.3
User avatar
stevepusser
 
Posts: 9536
Joined: 2009-10-06 05:53

Re: restrict apt-get

Postby steve_v » 2018-02-03 02:34

As stevepusser suggests, the solution is to never give out the root password and set up sudo for those who need limited root powers.
steve_v
 
Posts: 686
Joined: 2012-10-06 05:31
Location: New Zealand

Re: restrict apt-get

Postby debiman » 2018-02-03 11:12

warmup031 wrote:Sometimes, the root password is known by much more users than we can believe.
So the goal would be to add a restriction level for those one

One of the keys to our lock was stolen.
Instead of changing the lock, we need to install a second lock.
User avatar
debiman
 
Posts: 2209
Joined: 2013-03-12 07:18

Re: restrict apt-get

Postby dryden » 2018-02-10 01:11

I don't think he is talking about hackers but more like "fellow sys admins".

In many organisations every member of the team has access to certain root passwords.

But the problem in Linux is that it's very difficult to introduce intermediate users for anything.

The group system is primitive and barely used, almost everything is owned by root, some software will not start when it sees group has rights out of "security" concerns when the owner is root:root, so you also cannot really use the root group for anything either.

Because most stuff runs as root, or many scripts do, giving people access to files executed by root is immediately a security risk, creating a chicken and egg problem to introducing more intermediate users.

Even creating a backup user is difficult unless you use setfacl, because on an ordinary system there can be many files protected from prying eyes and using the ordinary owner/group system you cannot really create a backup user.

I mean you have to meticulously design...

So my point is not that root should not have access to apt-get, but it's difficult to create semi-roots that can still do *some* tasks.
dryden
 
Posts: 79
Joined: 2015-02-04 08:54

Re: restrict apt-get

Postby debiman » 2018-02-10 07:15

dryden wrote:I don't think he is talking about hackers but more like "fellow sys admins".

we did understand that , too.

The group system is primitive and barely used, almost everything is owned by root

in its default setup maybe.
but sudo can do a LOT LOT LOT more than that.
people get paid to set these things up in a multiuser/mulitmachine network, and i bet additional software exists to help along with it.

in any case, we shouldn't guess but see what OP has to say for themselves.
User avatar
debiman
 
Posts: 2209
Joined: 2013-03-12 07:18

Re: restrict apt-get

Postby dryden » 2018-02-10 09:24

Well I wouldn't mind learning more about that.

And maybe I shouldn't assume ignorance on behalf of others.

I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.

But there's no reason to be cynical or testy when it's a legitimate problem ;-).

I mean, sudo would in effect be a secondary lock.

I mean to say, I would love to learn about such models.

I think some Unix vendors do have their own priviledges system.

(I cannot watch the YouTube on my current link unless I download it first).
dryden
 
Posts: 79
Joined: 2015-02-04 08:54

Re: restrict apt-get

Postby Thorny » 2018-02-10 09:40

dryden wrote:Well I wouldn't mind learning more about that.

Well, you know how to do that, eh?
dryden wrote:And maybe I shouldn't assume ignorance on behalf of others.

Absolutely! I agree.
dryden wrote:I guess you can do a lot with sudo and sudo would effectively use the group system, but that's about the only thing that enables it but it would still use the root system, if you sudo to any other user you are powerless again.

Irrelevant.
Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common
dryden wrote:But there's no reason to be cynical or testy when it's a legitimate problem ;-).

I didn't read it that way. I just think he was being correct.
dryden wrote:(I cannot watch the YouTube on my current link unless I download it first).

Youtube is not the ultimate source of knowledge. ;-)

By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.

[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

Postby Head_on_a_Stick » 2018-02-10 09:56

AppArmor may be able to do what you want:

https://wiki.debian.org/AppArmor/HowToUse

Or perhaps try SELinux:

https://wiki.debian.org/SELinux/Setup

It's a _lot_ more complicated than AppArmor but it is a fully-fledged MAC framework.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 7458
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: restrict apt-get

Postby Thorny » 2018-02-10 10:24

I think your advice is good H_o_a_S.
However, I'm starting to think that the OP doesn't care any longer, doesn't appear to have revisited.
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

Postby dryden » 2018-02-10 10:44

Thorny wrote:
dryden wrote:Well I wouldn't mind learning more about that.

Well, you know how to do that, eh?


No actually I have already been googling around for that.

Sudo is a common solution where you need to restrict users who need some but only some root access. Probably the most common


That's not my point, that implies one would have to develop an entire system around that first.

Particularly, you cannot then give anyone shell access using sudo.

You are then left with the task of identifying all limited tasks one would be allowed to perform out of the sea of millions of things you can do, but you wouldn't have access to:

- sudo chown
- sudo chmod
- sudo vi
- sudo rm

And so on, no the tasks would have to become much more higher level, such as "restart apache".

It's a monumental task where it would be a lot easier if you can look at the work of others to see what kind of best practices or whatever they've come up with, or even systems designed this way.

I didn't read it that way. I just think he was being correct.


Never mind, just a bit of sarcasm when the proposed solution (sudo) is as much a second lock as the other solution (limit apt-get) that was ridiculed.

In fact you could encrypt the apt-get binary and decrypt it using another password before execution.

Then all you need is a wrapper that will do this.

Not a real protection but more policy.

Youtube is not the ultimate source of knowledge. ;-)


Was only saying that to explain.

By the way, I can't watch much Youtube either. Small bandwidth cap on my Internet connection, but I can still use a search engine and read less bandwidth intensive stuff.


This is the reason I was able to say anything about other Unix system in any case, but ready-made systems for other Unixes are not very usable for Linux and also don't tell you much about the models or designs you could have.

[edit] I don't mean to insult you but, man sudo, and, man sudoers, are available on your system, aren't they?


The remark about assuming ignorance on behalf of others comes to mind ;-).

I am not talking about the primitive tools, but designs of models.
dryden
 
Posts: 79
Joined: 2015-02-04 08:54

Re: restrict apt-get

Postby Thorny » 2018-02-10 10:54

dryden wrote:The remark about assuming ignorance on behalf of others comes to mind ;-).

I speak plainly (write) and generally mean things literally, rarely use sarcasm and rarely mean to insult.

On the Internet it is usually a good idea to develop a "thick skin", not find insults too often.

Peace dude!
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Re: restrict apt-get

Postby dryden » 2018-02-10 11:39

Hmm indeed it is hard for me to understand that you would not have meant that sarcastically.

(Particularly as every Debian system or any other system unless you are speaking some NAS) would have those manual pages installed indeed.

Oh I have a thick skin. But overall I think my mental health goes down from being too much around programmer types and not enough around ordinary people (or pleasant people in general) as I'm probably starting to internalize the harsh, critical voices you so often come across.

There is often very little... affirmative voices or appreciation to be found.
dryden
 
Posts: 79
Joined: 2015-02-04 08:54

Next

Return to Installation

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable