fix: remove sudo from apt commands and RestrictSUIDSGID from service

- Remove sudo from apt command execution (service runs as root) - Remove RestrictSUIDSGID from systemd service (blocks setuid for apt/dpkg) - Remove NoNewPrivileges from systemd service (blocks sudo PERM_SUDOERS) - Bump version to 0.3.2
2026-05-03 02:24:52 +00:00
parent 3e037f2648
commit 64e7e787f5
5 changed files with 16 additions and 16 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1859,7 +1859,7 @@ dependencies = [

 [[package]]
 name = "linux-patch-api"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
 "actix",
 "actix-rt",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "0.3.1"
+version = "0.3.2"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"
--- a/configs/linux-patch-api.service
+++ b/configs/linux-patch-api.service
@ -17,7 +17,6 @@ RuntimeDirectory=linux-patch-api
 RuntimeDirectoryMode=0755

 # Security hardening
-NoNewPrivileges=true
 # Allow reboot capability for scheduled reboots
 CapabilityBoundingSet=CAP_SYS_BOOT
 AmbientCapabilities=CAP_SYS_BOOT
@ -37,7 +36,7 @@ RestrictNamespaces=true
 LockPersonality=true
 MemoryDenyWriteExecute=false
 RestrictRealtime=true
-RestrictSUIDSGID=true
+# RestrictSUIDSGID removed - package management requires setuid/setgid for apt/dpkg
 RemoveIPC=true

 # System call filtering (whitelist approach)
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,13 @@
+linux-patch-api (0.3.2-1) unstable; urgency=low
+
+  * Fix package install: Remove sudo from apt commands (service runs as root)
+  * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
+  * Fix patches handler: Call reboot_system() instead of just logging
+  * Remove NoNewPrivileges and RestrictSUIDSGID from systemd service
+  * Add CAP_SYS_BOOT capability to systemd service for LXC reboot support
+  * Fix dpkg packaging: Remove linux-patch-api user creation, fix directory ownership
+
+ -- Echo <echo@moon-dragon.us>  Sat, 02 May 2026 21:25:00 -0500
 linux-patch-api (0.3.1-1) unstable; urgency=low

  * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
--- a/src/packages/mod.rs
+++ b/src/packages/mod.rs
@ -98,18 +98,9 @@ impl AptBackend {

    /// Run apt command and capture output
    fn run_apt(&self, args: &[&str]) -> Result<String> {
-        // Use sudo for operations that modify packages (install, upgrade, remove, purge)
-        let needs_sudo = args.first().is_some_and(|&cmd| {
-            matches!(
-                cmd,
-                "install" | "upgrade" | "remove" | "purge" | "dist-upgrade" | "autoremove"
-            )
-        });
-        let (program, cmd_args): (&str, Vec<&str>) = if needs_sudo {
-            ("sudo", ["apt"].iter().chain(args.iter()).copied().collect())
-        } else {
-            ("apt", args.to_vec())
-        };
+        // Service runs as root - no sudo needed for apt commands
+        let program = "apt";
+        let cmd_args: Vec<&str> = args.to_vec();

        let output = Command::new(program)
            .args(&cmd_args)