On 2021-08-12 08:32, Vincent Bernat wrote:
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
I just ran across this article
https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
tested
the attacks on Debian 11 and they work successfully giving me a root
shell prompt.
I don't think calling this "privilege escalation" or "attack" is
correct.
The premise of the post is "the user should not be a root/admin user
but
has been assigned sudo permissions to run the package manager" and one
doesn't really need a long article to prove that it's not secure.
I think the article is interesting nonetheless. Some people may think
that granting sudo on apt is OK. In the past, I think "apt install
./something.deb" was not possible.
I think the actual solution here is PackageKit. My understanding is that
it does not let you do this when you grant the package-install
permission to users. And it even lets you do flexible policies through
polkit.
And sure, that still allows users to install packages from any
configured source which might include packages with vulnerabilities or
intended privilege escalation. But that feels like a different, more
general problem.
Kind regards
Philipp Kern