Is it safe for my ssh user to be given passwordless sudo for `apt-get update` and `apt-get upgrade`?

I have an SSH standard user account on my personal server, and it has sudo access (via its password).

I ssh in using a public key, so I don’t have to type in the account password to log in. Is it safe for me to allow this user passwordless sudo access to run only the apt-get update and apt-get upgrade (or apt-get dist-upgrade) commands? I’m asking from a security standpoint, not from a ‘broken/buggy update’ standpoint. I am the only one logging in, and if I break something with an update, I can always sudo (with a password) to fix things.

The main point is to be able to run timely updates on my server without needlessly typing in a password. But, if someone did get access to this account, I don’t want them to be able to install anything, and I don’t know if there are other concerns I should have with these two commands.

Here is the exact line in my sudoers file:

stephen ALL=(root) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade

Allowing a less trusted user to run apt-get update is ok. They worst they can do is consume a lot of bandwidth and fill up some disk space, and they have plenty of other means to do this unless you’ve taken stringent measures to prevent this.

Allowing a user to run apt-get upgrade is likely to give them root access. Some packages query the user and might allow a shell escape; for example the user who has access to the terminal that apt-get upgrade (or any dpkg -i call) is running on might get prompted for what to do if a configuration file has been updated, and one of the options there is to run a shell to examine the situation.

You need to restrict the command some more:

set -ex
exec </dev/null >"/var/log/automatic-apt-upgrade-$(date +%Y%m%d-%H%M%S)-$SUDO_USER.log" 2>&1
apt-get --assume-no upgrade

This shouldn’t give the user a way to become root, since they can’t interact with the package manager. As upgrades can sometimes break a system, and a user with only these permissions wouldn’t be able to repair anything, this should only be done with a stable release, with only security updates pending. If it’s a kernel update, let a user with full root access decide when to trigger a reboot.

By the way, the user wouldn’t be able to inject package content — to do that, they’d need to be in control of the server distributing the package, and in addition to the server signing the package if the package is signed (which is the case for all official sources). It’s irrelevant for this attack vector who’s in command of the machine at the time of the upgrade.

All this being said… use unattended-upgrades, if that’s what you want.

Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.