On Thu, 20 Jun 2019 09:32:17 +0200 Ansgar Burchardt <ans...@43-1.org> wrote:
> I don't think it is a good idea to require debootstrap to know about > such details. _apt user is standard to debian, but not its uid the _apt user is created by the apt postinst, that cannot know anything about the host system from where debootstrap was launched, so debootstrap seems to me the only place where this functionality can be added > For limiting network access, I would recommend instead using network > namespaces (to only provide limited network access for all processes) > and/or user namespaces (if filtering for single UIDs is really > needed). These do not require any uids to match between in- and > outside. filtering out the root user is a pretty common security practice and setting an iptables rule on uids is simple for system administrators using namespaces, how can you block any user but not the _apt user if it is not already created? just my 2 cents :) ciao! P.S.: the patch seems ok to me, I don't like hard-conding the _apt user line in /etc/passwd, as apt postinst uses adduser, but it's not clear to me when adduser is installed during debootstrap
