❦ 12 August 2021 10:39 +05, Andrey Rahmatullin: >> I just ran across this article >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested >> the attacks on Debian 11 and they work successfully giving me a root >> shell prompt. > I don't think calling this "privilege escalation" or "attack" is correct. > The premise of the post is "the user should not be a root/admin user but > has been assigned sudo permissions to run the package manager" and one > doesn't really need a long article to prove that it's not secure.
I think the article is interesting nonetheless. Some people may think that granting sudo on apt is OK. In the past, I think "apt install ./something.deb" was not possible. I give myself password less sudo to "apt update" (without additional options), "apt upgrade" (same), "apt full-upgrade" (same). I was thinking this should be safe, but now I need to check if the pager is properly restricted when displaying NEWS file. A similar "vulnerability" was fixed in systemd: - https://gtfobins.github.io/gtfobins/systemctl/ - https://github.com/keszybz/systemd/commit/612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Maybe it would be worth to also set LESSSECURE (less is not the default pager on minimal installs but I think it is the most common, more cannot be secured this way). -- Use data arrays to avoid repetitive control sequences. - The Elements of Programming Style (Kernighan & Plauger)
