Hi, On Thu, Jan 09, 2020 at 11:03:35AM +0100, Mikael Pahmp wrote: > product (based on Yocto) using apt. The customer should only be allowed to > install/alter software by installing packages signed by us. My idea is that As that is pointing in the direction of "Tivoization" you will encounter at least some opposition. It also feels like the first thing many customers do in such a situation is look for a jailbreak as they consider it an anti-feature (if not a reason to not buy). If it would be me, I would invest more in the creation of features (hopefully) future customers can actually make use of rather than implementing reasons to not be customers, but that might be just my opinion. > the user will not have root access but will be allowed to execute apt-get > specifically using sudo from an "admin" user account (configured in > /etc/sudoers). We will deliver the product with a pre-installed pgp key > with which packages should be approved. You don't want to expose apt (and many other) tools directly in that case. You will need a wrapper. Debian Developers have access to porterboxes and are allowed to run certain apt commands there (chrooted though, but chroots can be escaped, so that is why) via the wrapper: dd-schroot-cmd https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/porterbox/files/dd-schroot-cmd Of course, that is only slightly related to your usecase and DDs are (to a certain degree) well-behaving. > Do you think it is possible at all to get the "security" we want this way? It certainly is possible, but apt is not designed in a way that would make that particular easy. There are countless ways of allowing a user who can run apt to gain root simply as apt assumes that a user who can run it is root already. Stuff like hooks, APT_CONFIG and direct .deb-file installation can't be features if you don't trust your users. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature