Re: Debian package manager privilege escalation attack

[Russ Allbery <rra@debian.org>]

Philipp Kern <pkern@debian.org> writes:

> You know that this is a bad idea (granting sudo to apt without a
> wrapper). I know that this is a bad idea. That was my point. Plus that
> this is a very common trope in multi-user settings that you want to hand
> out some privilege to install packages.

Right, but this is a sudo problem, not an apt problem (which I suspect you
agree with, but I think it's important to make it clear).  sudo makes it
very convenient to give direct access to regular tools and this is almost
always a mistake.  As you say, that's been long-standing sysadmin lore
that arguably even predates sudo and goes back to limited setuid shells
and other tricks.

If you want to give people escalated privilege to run a thing, that thing
should be a custom-written wrapper that does only one thing and only does
the thing that you want to let them do, not a general tool that may have
other options or may change later.  And ideally you do it via an RPC
because setuid programs in UNIX are a giant pile of foot-guns.  Otherwise,
just be aware that you're basically trusting them with root with slightly
better logging and don't rely too much on the security boundary.

I think it's in some ways unfortunate that sudo has become so popular
because it makes this mistake so easy and so common.  I have found
privilege escalation vulnerabilities in almost every non-trivial sudo
configuration that I've looked at, not due to some bug in sudo but due to
bugs in the understanding of sudo and what it can and can't do by the
people writing the configuration.  It is *extremely hard* to configure
sudo correctly in anything other than "logged access to root" mode.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>