Bug#763399: Hardening dpkg/apt

To: 763399@bugs.debian.org
Subject: Bug#763399: Hardening dpkg/apt
From: Trek <trek00@inbox.ru>
Date: Sun, 15 Feb 2015 23:25:37 +0100
Message-id: <[🔎] 20150215232537.070b7555@enterprise>
Reply-to: Trek <trek00@inbox.ru>, 763399@bugs.debian.org

I never submitted a bugreport for that, as I thought it was too
paranoid for debian, but while the new version of apt uses a similar
method, I want to share the one I used since wheezy to drop privileges:

adduser --system --home /var/lib/apt --no-create-home --group apt 
dpkg-statoverride --update --add apt apt 755 \
 /var/cache/apt/archives/partial 
dpkg-statoverride --update --add apt apt 755 /var/lib/apt/lists/partial 
install -m 700 -d /root/.aptitude
cp -a /usr/lib/apt/methods ~/.aptitude
chown apt:apt /root/.aptitude/methods/{ftp,http,mirror,rsh}
chmod 6755 /root/.aptitude/methods/{ftp,http,mirror,rsh}


now you can launch apt-get or aptitude setting the Dir::Bin::Methods
configuration option to /root/.aptitude/methods, for example:

apt-get -o Dir::Bin::Methods=/root/.aptitude/methods install aptitude


or creating the file /root/.aptitude/config with this content:

Dir "/";
Dir::Bin "";
Dir::Bin::Methods "/root/.aptitude/methods";


thanks to the modular design of apt-get, this solution is applicable
for the wheezy/jessie users, as you don't even need to modify the
source, but you must take care to upgrade the files
on /root/.aptitude/methods/* every time the apt package is updated

ciao!

Reply to:

Prev by Date: Bug#778375: apt-transport-https: segfaults
Next by Date: Bug#778375: apt-transport-https: segfaults
Previous by thread: Bug#778375: marked as done (apt-transport-https: segfaults)
Next by thread: Bug#80123: Interested
Index(es):
- Date
- Thread