On 2021-08-12 17:56, Marc Haber wrote:
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern <pk...@debian.org>
wrote:
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another
manifestation
of human stupidity. And this, there won't be a number of article
sufficient to make people change.
[...]
This is only a article made to get people onto a website and see
publicity or whatever goal the author set. There's nothing genuine in
there.
I think it's less about human stupidity than about all the knowledge
you
need to acquire (and retain) to securely administer a system. It is
not
easy. The concern expressed here is pretty much common knowledge among
sysadmins of ye olde times.
I think the essence of the article is, that on some apt/dpkg using
distributions, a "normal" user gets sudo rights to do apt only (I have
never seen that on Debian, do we do this in some corner case?) and is
able to escalate to root from that trivially, even without doctoring
some malicious package, just shell out from dpkg's conffile prompt to
a full root shell.
You know that this is a bad idea (granting sudo to apt without a
wrapper). I know that this is a bad idea. That was my point. Plus that
this is a very common trope in multi-user settings that you want to hand
out some privilege to install packages.
Kind regards
Philipp Kern
