Bug#930428: debootstrap should ensure matching _apt uid

[Ansgar Burchardt <"Ansgar Burchardt"@43-1.org>]

Trek writes:
> Ansgar Burchardt wrote:
>> For limiting network access, I would recommend instead using network
>> namespaces (to only provide limited network access for all processes)
>> and/or user namespaces (if filtering for single UIDs is really
>> needed). These do not require any uids to match between in- and
>> outside.
>
> filtering out the root user is a pretty common security practice and
> setting an iptables rule on uids is simple for system administrators

So you don't run sshd (requires root with network access)?  That seems
rather uncommon to me.

> using namespaces, how can you block any user but not the _apt user if it
> is not already created?

You look up which uid the _apt user inside the chroot has and use that.

> P.S.: the patch seems ok to me, I don't like hard-conding the _apt user
> line in /etc/passwd, as apt postinst uses adduser, but it's not clear
> to me when adduser is installed during debootstrap

You cannot use `adduser` as debootstrap might install binaries you
cannot execute (in the first stage).

But the effects of the patch are different from calling adduser, for
example the _apt user it creates has no entry in /etc/shadow.  Such
inconsistencies are not good.

Ansgar