TODO

• Site officiel : http://www.ibh.de/apt-dater/
• Référence pour la config et la sécurisation d'apt-dater : https://sdeziel.info/apt-dater/index.html

Installation du paquet :

apt-get install apt-dater-host

adduser --quiet --system --home /var/lib/aptdater --group --shell /bin/sh aptdater

On n'autorise que des connexions par clef depuis certaines IPs et on n'autorise que l'exécution d'un wrapper de sécurisation:

mkdir -m 0700 ~aptdater/.ssh

Ajout de la clef d'un admin dans le authorized_keys d'aptdater:

cat << EOF >> ~aptdater/.ssh/authorized_keys
command="exec /usr/local/bin/apt-dater-host-wrapper",no-user-rc,no-X11-forwarding,from="5.135.159.117,2001:41d0:8:d975::1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpwXiaxQhSI/9jyxmsVewnsBQeBNWZZhoZaGfpFHWsciy1j/+hC5ectW6kvsbm6mf4YkKx2Hc29oRSm7lsyv3+itBS5HbnzHtdbaKTeWKZIhXI/TlMw8RA0+5qX9vKT0sJhkqFyZoXRpw9tKh7+zehez1FFJV60y8U/qm4mXlgiLZcVh4hXG+U7JfxYAQntWf47sNNoqG06CVFTJs8NR6WE6kpvZTNZrBoHwzdVbPKKaRRrgjyUx7Qxb/1XUnv+Iwe5ZYUlyMF+2jAM1YXk9+fnCkaEIWsJTHEsrVGZaUlDu9qVQOUun4B2kU8pqUK9oqKp7svsqtboi5mWGhcNkMN zertrin@gmail.com
EOF

chown aptdater: -R ~aptdater/.ssh

cat << "EOF" > /etc/sudoers.d/apt-dater-host
# package installation is denied
aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get update
aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get clean
aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get dist-upgrade
aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get --assume-yes dist-upgrade
aptdater ALL = (root) NOPASSWD: /usr/bin/apt-get --quiet --simulate --fix-broken --allow-unauthenticated dist-upgrade
EOF

chmod 0440 /etc/sudoers.d/apt-dater-host

printf "aptdater\t-\tpriority\t10\n" > /etc/security/limits.d/aptdater.conf

À placer dans /usr/local/bin/apt-dater-host-wrapper

#!/bin/sh
 
set -e
set -u
 
# Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset
# various other variables. For details, see:
# https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview#Execute_rules
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export ENV=
export CDPATH=
 
LOGGER="/usr/bin/logger"
APT_DATER_HOST="$(which apt-dater-host)"
KILL="/bin/kill"
SLEEP="/bin/sleep"
 
# Install command allowed?
INSTALL_ALLOWED="false"
if [ "$#" -eq 1 ]; then
  if [ "$1" = "--install-allowed" ]; then
    INSTALL_ALLOWED="true"
  fi
fi
 
illegal_command() {
  # Do not log SSH_ORIGINAL_COMMAND for security reasons
  $LOGGER "$(basename $0) illegal command denied"
  # Default deny
  $KILL -9 $PPID
  exit 0
}
 
check_ssh_command() {
  if [ "$#" -lt 2 ]; then
    # not in the form of apt-dater-host upgrade
    illegal_command
  fi
 
  if [ "$1" != "apt-dater-host" ]; then
    # not invoking apt-dater-host
    illegal_command
  else
    # Remove the 1st arg with later replace it with the
    # fully qualified path to apt-dater-host
    shift
  fi
 
  COMMAND="$1"
  shift
 
  if [ "$COMMAND" = "refresh" -o "$COMMAND" = "kernel" ]; then
    $APT_DATER_HOST $COMMAND
  elif [ "$COMMAND" = "upgrade" ]; then
    # Don't kill the shell session right away when
    # upgrading/installing to please apt-dater
    $APT_DATER_HOST $COMMAND && $SLEEP 0.5
  elif [ "$COMMAND" = "install" ]; then
    if [ "$INSTALL_ALLOWED" = "true" ]; then
      # Don't kill the shell session right away when
      # upgrading/installing to please apt-dater
      $APT_DATER_HOST $COMMAND $* && $SLEEP 0.5
    else
      illegal_command
    fi
  fi
}
 
if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
  illegal_command
fi
 
case "$SSH_ORIGINAL_COMMAND" in
  *\&*)
    illegal_command
    ;;
  *\(*)
    illegal_command
    ;;
  *\{*)
    illegal_command
    ;;
  *\;*)
    illegal_command
    ;;
  *\>*)
    illegal_command
    ;;
  *\`*)
    illegal_command
    ;;
  *\|*)
    illegal_command
    ;;
  apt-dater-host\ refresh)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ upgrade)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ install\ *)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  apt-dater-host\ kernel)
    check_ssh_command $SSH_ORIGINAL_COMMAND
    ;;
  *)
    illegal_command
    ;;
esac

En oubliant pas de le rendre exécutable:

chmod 0755 /usr/local/bin/apt-dater-host-wrapper