APT 1.1~exp3 released to experimental: First step to sandboxed fetcher methodsSep 24, 2014 · 1 minute read · Comments
Today, we worked, with the help of ioerror on IRC, on reducing the attack surface in our fetcher methods.
There are three things that we looked at:
Reducing privileges by setting a new user and group
Today, we implemented the first of them. Starting with 1.1~exp3, the APT directories /var/cache/apt/archives and /var/lib/apt/lists are owned by the “_apt” user (username suggested by pabs). The methods switch to that user shortly after the start. The only methods doing this right now are: copy, ftp, gpgv, gzip, http, https.
If privileges cannot be dropped, the methods will fail to start. No fetching will be possible at all.
We drop all groups except the primary gid of the user
copy breaks if that group has no read access to the files
We plan to also add chroot() and seccomp sandboxing later on; to reduce the attack surface on untrusted files and protocol parsing.