Bug#930428: debootstrap should ensure matching _apt uid

[Trek <trek00@inbox.ru>]

On Thu, 20 Jun 2019 09:32:17 +0200
Ansgar Burchardt <ansgar@43-1.org> wrote:

> I don't think it is a good idea to require debootstrap to know about
> such details.

_apt user is standard to debian, but not its uid

the _apt user is created by the apt postinst, that cannot know anything
about the host system from where debootstrap was launched, so
debootstrap seems to me the only place where this functionality can be
added


> For limiting network access, I would recommend instead using network
> namespaces (to only provide limited network access for all processes)
> and/or user namespaces (if filtering for single UIDs is really
> needed). These do not require any uids to match between in- and
> outside.

filtering out the root user is a pretty common security practice and
setting an iptables rule on uids is simple for system administrators

using namespaces, how can you block any user but not the _apt user if it
is not already created?

just my 2 cents :)
ciao!

P.S.: the patch seems ok to me, I don't like hard-conding the _apt user
line in /etc/passwd, as apt postinst uses adduser, but it's not clear
to me when adduser is installed during debootstrap