On Sun, Nov 26, 2000 at 10:30:01PM -0500, Jonathan D. Proulx wrote: > > I don't think you can do what you want without a good bit of code > hacking. One of the big stumbling blocks here is that .deb's are > essentially glorified tarballs and the install path cannot be simply > altered, then there's keeping track of who installed what, but > seperate cache directories could probably do that. the fact that .debs are tarballs is not the issue, you can install into a different path (dpkg supports this but only as root as it does chroot()) the real problem is many programs are compiled with some hard coded pathes. and second the post,pre install scripts assume root permission and standard install locations. > Check out sudo, this way you can give users access to root level > programs on a per user per command basis. Perhaps you could code up a > wrapper for apt-get that would set the magic options then give the > user access to this... this would almost certainly give the user full root access, all they need to do is find a package with a security hole and install it, or if they can get an arbitrary package installed they could install suidrootshell.deb. another thing about apt-get via sudo is interactive postinst scripts, i have not tried this but i suspect you would be able to easily get a root shell when a interactive postinst runs. in fact im sure of it, all it would take is a `replace modified config file?' question, simply choose the [d]iff option which pipes it through less which supports shell escapes, bingo, root shell. my suggestion: user downloads source ./configure --prefix=$HOME/usr make make install or just nag you to install a package. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp5rxINrb7v5.pgp
Description: PGP signature