On 20/06/2019 20:22, Ansgar Burchardt wrote:
Trek writes:Ansgar Burchardt wrote:For limiting network access, I would recommend instead using network namespaces (to only provide limited network access for all processes) and/or user namespaces (if filtering for single UIDs is really needed). These do not require any uids to match between in- and outside.filtering out the root user is a pretty common security practice and setting an iptables rule on uids is simple for system administratorsSo you don't run sshd (requires root with network access)? That seems rather uncommon to me.
There is a difference between running an sshd that only listens and allowing outbound connections as root, though. But that's a tangent.
using namespaces, how can you block any user but not the _apt user if it is not already created?You look up which uid the _apt user inside the chroot has and use that.
Yeah, but that scales poorly if you have a centralized firewall policy. It means that you need to maintain dynamic rules. I know it's possible and you can dedicate a chain to it. At the same time I think this problem is actually common enough that it deserves a solution.
P.S.: the patch seems ok to me, I don't like hard-conding the _apt user line in /etc/passwd, as apt postinst uses adduser, but it's not clear to me when adduser is installed during debootstrapYou cannot use `adduser` as debootstrap might install binaries you cannot execute (in the first stage). But the effects of the patch are different from calling adduser, for example the _apt user it creates has no entry in /etc/shadow. Such inconsistencies are not good.
Yeah, that's certainly not desirable. But there's also a limited amount of places (like /etc/shadow) that need to be touched in addition.
Kind regards Philipp Kern