Timothy M Butterworth: > All, > > I just ran across this article > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested > the attacks on Debian 11 and they work successfully giving me a root > shell prompt. > > Tim >
Hi Tim, All of the attacks presented assumes that the local user has "sudo" permissions to run apt and use that as the basis for escalating privileges (not commenting on yum or snap). I think it is a good demonstration of how some sudo policies are too lenient and can be exploited. Though I am not sure this is a bug in apt, as I do not think apt ever promised to be "safe" to use from a constrained sudo policy. Note that the blog post itself also mentions this: """ [...] In certain cases the user should not be a root/admin user but has been assigned sudo permissions to run the package manager only for package management purposes. We’ll look at how this permission can be abused to gain root access to the machine via a root shell. """ (from the "Introduction") My reading is that "this permission" refers to the "assigned sudo permissions". Thanks, ~Niels