Re: Debian package manager privilege escalation attack

[Ansgar <ansgar@43-1.org>]

On Thu, 2021-08-12 at 08:32 +0200, Vincent Bernat wrote:
> I give myself password less sudo to "apt update" (without additional
> options), "apt upgrade" (same), "apt full-upgrade" (same). I was
> thinking this should be safe, but now I need to check if the pager is
> properly restricted when displaying NEWS file.

These are not safe to be run under `sudo` without giving the invoking
user full access. As a random example: dpkg's conffile prompt offers to
open a shell.

For the same reason "apt install [package-name]" is unsafe as well even
when you ensure that "[package-name]" only contains characters from the
set [a-z0-9A-Z-] and does not start with a "-".

As another example, being able to answer debconf prompts from certain
packages is likely also root-equivalent.

If you want unprivileged users to manage (install, remove, update)
packages, then I believe PackageKit[1] tries to offer this.

Ansgar

  [1]: https://www.freedesktop.org/software/PackageKit/