Bug#763399: Hardening dpkg/apt
I never submitted a bugreport for that, as I thought it was too
paranoid for debian, but while the new version of apt uses a similar
method, I want to share the one I used since wheezy to drop privileges:
adduser --system --home /var/lib/apt --no-create-home --group apt
dpkg-statoverride --update --add apt apt 755 \
/var/cache/apt/archives/partial
dpkg-statoverride --update --add apt apt 755 /var/lib/apt/lists/partial
install -m 700 -d /root/.aptitude
cp -a /usr/lib/apt/methods ~/.aptitude
chown apt:apt /root/.aptitude/methods/{ftp,http,mirror,rsh}
chmod 6755 /root/.aptitude/methods/{ftp,http,mirror,rsh}
now you can launch apt-get or aptitude setting the Dir::Bin::Methods
configuration option to /root/.aptitude/methods, for example:
apt-get -o Dir::Bin::Methods=/root/.aptitude/methods install aptitude
or creating the file /root/.aptitude/config with this content:
Dir "/";
Dir::Bin "";
Dir::Bin::Methods "/root/.aptitude/methods";
thanks to the modular design of apt-get, this solution is applicable
for the wheezy/jessie users, as you don't even need to modify the
source, but you must take care to upgrade the files
on /root/.aptitude/methods/* every time the apt package is updated
ciao!
Reply to: