Re: Debian package manager privilege escalation attack

[Kyle Edwards <kyle.edwards@kitware.com>]

On 8/12/21 2:32 AM, Vincent Bernat wrote:
>   ❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
>
> > > I just ran across this article
> > > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> > > the attacks on Debian 11 and they work successfully giving me a root
> > > shell prompt.
> > I don't think calling this "privilege escalation" or "attack" is correct.
> > The premise of the post is "the user should not be a root/admin user but
> > has been assigned sudo permissions to run the package manager" and one
> > doesn't really need a long article to prove that it's not secure.
> I think the article is interesting nonetheless. Some people may think
> that granting sudo on apt is OK. In the past, I think "apt install
> ./something.deb" was not possible.

Random thought: could it be possible to restrict non-sudo users to 
installing packages from repos that are signed by a GPG key that is 
already trusted by the system (the Debian archive key)? That way this 
attack could not be carried out. Then add a Unix group that allows apt 
installation from trusted repos, make apt setuid so it can do the 
privileged operations, and have it check that the user is root or part 
of the non-privileged group.

Just my $0.02.

Kyle