我正在寻找一种方法,允许用户通过(或其他机制?)安装(仅远程)包,apt-get但不允许用户以 root 身份运行任意命令。
我可以得到一些通过 /etc/sudoers 到达那里。假设我的 /etc/sudoers 文件中有这个
root ALL=(ALL:ALL) ALL
john ALL=NOPASSWD:/usr/bin/apt,/usr/bin/apt-get
然后 John 似乎只能通过 运行和apt。但是……似乎有办法以root 身份退出到 shell(apt-getsudoapt-gethttps://blog.ikuamike.io/posts/2021/package_managers_privesc/):
- 输入
sudo apt-get changelog apt并按回车键 - 输入感叹号
!并按回车键 - 你现在以 root 身份进入 shell,可以执行任何操作
或者运行以下命令:
sudo apt update -o APT::Update::Pre-Invoke::="/bin/bash"
如果有什么不同的话,这是在 Docker 中
现已发布于https://serverfault.com/q/1089874/166779,因为我认为这是更合适的网站
答案1
这是我的尝试,因此用户将习惯sudo运行此脚本,但不能运行其他脚本。
#!/bin/bash
# This script wraps `apt update` and `apt install`, but attempts to forbid
# arbitrary commands being able to be run by the user as root. It exists
# because allowing the user to `sudo apt` would allow
# `sudo apt changelog apt`, which runs `less` which then would allows the
# user to escape into the shell.
# But, full access to `apt update` and `apt install` still cannot be given,
# since there are 3 ways they can be used to run arbitrary commands
#
# 1. Via options in the APT_CONFIG environment variable
# 2. Via command line options, such as '-o' to specify scripts to run
# 3. Via a local package that contains custom install script(s)
#
# So this script attempts to forbid the 3 above possibilities
# 1. Clear any options in the APT_CONFIG environment variable
export APT_CONFIG=''
# 2. and 3. Forbid command line options or local packages
for var in $*
do
if [[ ${var::1} == "/" || ${var::1} == "." || ${var::1} == "-" ]]
then
echo "E: It's forbidden to install a local package or pass an option"
exit 1
fi
done
# Update, and install requested packages
apt update
apt install -y $*