Création d'un wrapper pour sécuriser apt-dater

Ce qui suit n'a jamais été aperçu en état de marche, il est donc déconseillé de l'appliquer sans autre forme de procès.

À placer dans /usr/local/bin/apt-dater-host-wrapper

#!/bin/sh
 
set -e
set -u
 
# Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset
# various other variables. For details, see:
# https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview#Execute_rules
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export ENV=
export CDPATH=
 
LOGGER="/usr/bin/logger"
APT_DATER_HOST="$(which apt-dater-host)"
KILL="/bin/kill"
SLEEP="/bin/sleep"
 
# Install command allowed?
INSTALL_ALLOWED="false"
if [ "$#" -eq 1 ]; then
  if [ "$1" = "--install-allowed" ]; then
    INSTALL_ALLOWED="true"
  fi
fi
 
illegal_command() {
  # Do not log SSH_ORIGINAL_COMMAND for security reasons
  $LOGGER "$(basename $0) illegal command denied"
  # Default deny
  $KILL -9 $PPID
  exit 0
}
 
check_ssh_command() {
  if [ "$#" -lt 2 ]; then
    # not in the form of apt-dater-host upgrade
    illegal_command
  fi
 
  if [ "$1" != "apt-dater-host" ]; then
    # not invoking apt-dater-host
    illegal_command
  else
    # Remove the 1st arg with later replace it with the
    # fully qualified path to apt-dater-host
    shift
  fi
 
  COMMAND="$1"
  shift
 
  if [ "$COMMAND" = "refresh" -o "$COMMAND" = "kernel" ]; then
    $APT_DATER_HOST $COMMAND
  elif [ "$COMMAND" = "upgrade" ]; then
    # Don't kill the shell session right away when
    # upgrading/installing to please apt-dater
    $APT_DATER_HOST $COMMAND && $SLEEP 0.5
  elif [ "$COMMAND" = "install" ]; then
    if [ "$INSTALL_ALLOWED" = "true" ]; then
      # Don't kill the shell session right away when
      # upgrading/installing to please apt-dater
      $APT_DATER_HOST $COMMAND $* && $SLEEP 0.5
    else
      illegal_command
    fi
  fi
}
 
if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
  illegal_command
fi
 
case "$SSH_ORIGINAL_COMMAND" in
  *\&*)
    illegal_command
    ;;
  *\(*)
    illegal_command
    ;;
  *\{*)
    illegal_command
    ;;
  *\;*)
    illegal_command
    ;;
  *\>*)
    illegal_command
    ;;
  *\`*)
    illegal_command
    ;;
  *\|*)
    illegal_command
    ;;
  apt-dater-host\ refresh)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ upgrade)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ install\ *)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ kernel)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  *)
    illegal_command
    ;;
esac

En oubliant pas de le rendre exécutable:

chmod 0755 /usr/local/bin/apt-dater-host-wrapper