From 9e42f322702b4b4c990df417989335423c8519cb Mon Sep 17 00:00:00 2001 From: Echo Date: Sun, 3 May 2026 02:24:52 +0000 Subject: [PATCH] fix: remove sudo from apt commands and RestrictSUIDSGID from service - Remove sudo from apt command execution (service runs as root) - Remove RestrictSUIDSGID from systemd service (blocks setuid for apt/dpkg) - Remove NoNewPrivileges from systemd service (blocks sudo PERM_SUDOERS) - Bump version to 0.3.2 --- .a0proj/audit.db | Bin 1495040 -> 1552384 bytes Cargo.lock | 2 +- Cargo.toml | 2 +- configs/linux-patch-api.service | 3 +-- debian/changelog | 10 ++++++++++ src/packages/mod.rs | 15 +++------------ 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.a0proj/audit.db b/.a0proj/audit.db index 510ab39d9a64b154e514314a357a93eb0ca5de30..036ffdc8702e9dda05178cec0e0ea06013cd5350 100644 GIT binary patch delta 21732 zcmeHvd32Q5m8Yw;FQt-HRi6Z6`6O&30g|dpwW(Nz5Jn&)fgmv;A(g5=p)#eaq82dm z5Si?AlJOE^?uFx*A^`^b&CLgm_ zuCDv>P5k6UZGEb=?q_vBK7YJ^PhF+yWBc%QcJKK&m$aHn#!ZV(RH)m`rhyYX)pj$! zeN6r8&i0bsra)k-XKLE#?DY5chC4m}X@6%R?Dls~dBP#TFYI$`zQ8zl^m?7XX@4lt z+2iy~cY3B>uFhV!=Izw9o}Q4~8H%{QuCep+){}LWiC-x> z`#0k!Tmk&uHpYL?d;AwGE61zaZmMdl@}95Upj4gMGFab$=El;crKbMj+ed~5b`5Mg zacHaK{2hZWCWdhS@YZ|FO2%upoTwN%Q(v>YW=q|V>i)X!FYBJKd!+6`ko}qJg|#J% zO{sx92M0o_k@3PWW1pPb_t~j^CVb5Jl;Bf}PZ>Vt_*CFiiBA(I4(@>Qyz&_nkx3(RI#W0N9P+ZZ?Cwp_j}3{l`Y_ZqQ|B3Pcl2D zM&s#BC>EQDgfber-m=)5d)&Fkbo67|gx&+K-?rM_Jw58Nv3QS1#V@bg-QBH@gu(|y z2Q&jxC=*S@)kKp2q|wPoru(eTbE8@+8j1nlDs_{VF8neb%EmGsENEX;>@hm2 zGyK0K<`XQ%J$_1>m}EYM*D`gQBWAk#(nwF5Y6u;o26+_0RthXfQI^L6V4ZoP7HVP7|CtZQmg zH?!cg7!&MPQ!^TrFs?#*Qi&uCY(`V{0T~ymLlEM022zj=WoCjw7%lvk649Mar@E)2 z@$OJEgDL3J?uw=}m|%%OUXU;u^k-{oTIQHHy}F*MS`1=)1HdEk=_`TfIS&eV4R0C_ zs)Mu1mjcMdr-MM98sJkBx^vtJAYHB>aa&{nB^uW%>rnybqHyc!|@kB;F zs%2O=2g7RM>+0%)vFeR8ZM0djcKoh-AKWn1b$+pGo>{XZT3r`&juT#vofpH+5}+!O@Ke%$V0zB;0em039@@(^{IWtfom87@smS|X}x@0b(JaOZtAlOVf-0L&=|Z==Gr2ZMUh zrA3$ycV2GzojcP&b}c+xDxyvBmtZiHz@QxJz^Mud9bMV@kyI$z&i35vW|prJ6R0x% zsZ47-zt{zzn+YMVgh$AY2(gtf>B7VBd+GQqw!VCj(uh!GmD&b(t4(AQZ9&!RrgNXF z>nTClLdTamcGBe?*3A~_>AF&B)s1N8m8UBmb;lUC3tZseZo2eCYX?o)AsstKK%r)4 z3>U1nhtfymVMMT6O0W=O=yLmnS(h!~dvQd;9pt1r65R0JoPsEGf(}(5|_J|wqLZaH1*J_DQgS4x;i(a^4CaQ1?wa%<0iJw-tc~81bE{^5hI0`{A&LHt|=q1&C{p0W zRC(CTyAW{C@xZWK{TxaPFQ3ZB;|$==#8g_%#$#GKt&bW_t5`h1;=1&Z9QxKO5xScn z<`t8==0#(BM_1@bD4Jnrd2-%|wK?C9Vd&wZ%M+m1_br{b z8La}-wZ)xRsbg)r@J+=M2wEcQ)KR00pbZ)!2JEFv?^$|HPC8y$YqReh*f>1AYhvTj zaR0V}O$ac76YaRK(Ka~N)*p(q1C-LK9+`>8G|8nGd})cG@4c)*a|i#HVA?FmsuQXisVBB-W0a?3tf4Sbvu{XB=H#HjXZ@ zG>$AFBH)6dVeJKKQdWd|qo2=7&qb|Gb9z{Y_V%rbsbNFOgF!hLtJK3auqc8Tx8w7Psbrc(WAqkVC%FQaD&vC*FrKeQ?~sk{bE z@r}OoS2jlr51UCGj3$D?G~=!tz*$HI^z2|56UAyKp#g@Uc4X?5+Ae+Bh_TwK{u7M~O}=TVtiClj zHobVzx==i%b?2-#^w!IkiZT{A0Pxo>tQ0cq>{vynx6#kJu(s4C9*wn)q_kv+T~)E& z>FR>acjf&UgqK`+*VI8Th8tUG;$3T*X*Ina1};p&!fR0waMF%9EsnKap-6-kVM5_Y@= zL$Dx;>AwcAzO%SiO6Bsd=}Y58crAKh ztFbBqnL?zBY2)FI^)w*%F~t2#YHf7StJczCL1BIg!-_8gBR3W(V{x~>;NZvn!#>i; zLPRD)>>}auglI`mN9$Ju{9ip(vvi4`?`W5;Aw;@94+1B*TtiS_w$4t!_?5LLXG(Wx z!U&lYN7_ZNe1OdZ9|Jqwi2V7tpPgR^B{geh)76|2y3iqWoxM$Ri`|j@Um?F?A>7Vh z;Xmm&|GT=D;%ZH8iQ6SzDrpO9taZAMu|IY5(gD7fKHE@JU!k*rhWA??c*iZ9?w+b? zs1ekP7Z8)-g>KCf>IqOh`VC|aU)0CX(-{5vG}@m>#+L&{gP@(A>L3@ zP4YPpqy+o5)=J||D6$4|~3jY^3J zYYi5Hxq_Tvk-gGWgT^?BbHuU$WaJZu9U=nbT;BX2L9&75ysRQ4kqZb!z%0V7`8mG% z2|=B+5EKTG544P-IVYHI-#6CQnc_s|Sldeeb88VMg=#h~;LsaCsB5h4k_$psZx6i` zZnV*F9&dEC8umn*k=zUd1(`UMdDV6E5{1TFkzy7yHbuyY>3}DOxv>R|)S*EQRMIz`+D&QBG{?4RoUh`l6fWX9d;-7)+b*C`bi+f+0H7{N`s7R@m%j9?F6q_{#a%UZ_}s8y}nLCG_X;km2D zL-Tgg=2Mgtj2rW?w<2uB;*NL9R^EMVo_nj*(jCIX((6B{o98P&tb_H>vne+!H)Pt< zsOMwh4|XkPIk_gybg9qw`zgab4Z1E{m@6mGI5yNEdQJK9gEfcT!FGPqR7S6S-CDZ< zTVF64X^|1eHiC$1MMQhDqRdX}bYt0_#!_2!MNohR8Ir#9f3CLj7CYAy`VfZA>C%(( z>8?4bTY?50p%6K(y#$v)WgN0yjeYyIoYjNbu<#PDSg=Ilvk}iF|v57AB z)mQtkwQ@unM5GQF;xfXrW(*H?<{09$}9*k(i$(QwL0cp5<~FW)cu z>TIHG1E)e|i=K&~$#eCK@=1nk=1qD$ob*^Ade#@^8F+vl746Eu&F}?V9 zsSV5IbLH4x0gjdbD$M^sgqiEXc7143=K0xtHPb51j*-+XHZZWN1qD3Pwn|ly#zf>h z&CnK33`;S6ZE;=swN*fGC-IIHRMrus5+{-Ed?j7v2#>B+*Ul4>t|L}?5K7rc3=sDIya z-l_;&hg}?*BG>b?)n=ba-YyW?S^L$@8$A%LT9daDhDCYK-LSSX8SU2XYPwsuG#4#) z2kn2;QrmJJ??=uN6vu(Z6^<($A3J&J26A4#=F&Q=L1M@pV0B*@m+4US>4h8uVedVG0il%G0y?oztY~{h}u>7BC6(&@%>I{%){(SD=8j{3SSx`W{mt^Gy~Oa8rnRsDm_N*vd&P z`d)a_(O-h40fmm)K1-LkRh855pk*POkIY8PKhmS0vCtBf2m# zPLwbsg^yoey60c4j#B*3N41+QH=B@t+hke1RO~{d8VO~EDDg#2t~wJ!g$!3HAYt#M zU)*D9Mj%po+_Kl~R_U!zT0CZV54C>EVl%rv^!#zlZDy}Zt`SR;;-9uuDOh%lq@ssW z%eQMbDYobV$4?L6X=ySA=+q}HP0j9JbitNcIMdIi1A3<(C;hKGEsIrDck8X&v{YP+ z-JU>&s+Kl-x#@uc%R-cwY&d9XF?ne0AP~fU{D4Jm@u?_LgnouIJGD?O17;X+`RVLI z%Yp>~bl{EQ!I6HWMI;oRw0*Os+w5`C+-A!%v&T(=m}P0RDAn|UIRo*-(NrSN<$cI6 zdQaYlZRKBVw$z(^^re`^ZSvzu>q_ROhj}@aIB-BP(Cb7oH9Ra>I-JcUvzfJbCQ$Jh zijixJWj|>znQlkXGH(-^ep~OO*A|*a^0T`NJNNmu9tw)C1q@Bti@eR!Y(_!RowtDi zZx7vfn`ObAM@0$&Te(9hxQ?ymgdFT;Ei9?$=BnMLAQsgnYE=_&*JQA_Q<=o6csqgrNdf8WSN9_^KMe6_i`I{$!i z-h(|gMwv>GR{+DY9oY9SmKxX00-*$=@CT8@A3vq4Z(Qxj4RnpPYGGCtMeXx4n_ZFU z;fb&ojkWunVk`1bV)tsznl%U{+YTO1rs;iiom*D?afZpL{`%wdGnY4KhF+7Gb2px% z&P~kq;N`*Hz}&1@v4YCaIM%WV`lunS?4S*gR}S#e44W&6A_*9ayE3BYS=7u1$KopQ zgJe>nFr+;gyqgWyD)mSx6+gC`UV6VKnB(lw_G|a#t&r=rt}JflK~|ILjAJ7s+RKQF z<0B4p4?_E$Ry#fW#rlf2v??8u+G$jss<-R4>>Fi)6Yc+$X<OEbc(1WFXt2&w$<-=*zzGu24$%6;f_D$MUG!*aNJ%v)dY=?Rznwe3P zvFw2Ze4fTAmr)B(uP`_^=Bkf|9;t7GOF#DwYx~}SpidUfrxIb*7Y2jtf=QMIuv?ki&BP2u&>Ext8_bq9(NG=-_qYW)IW4& zvk!&RTNJy+cjd^R-)d7R*koHcr4NZ1Ypm1h4LY4;aU7kS_4we=$Kv}CHXKylz2oX1 z$ObbGQia}gG*uV!V4H38tydl2JL~E#7{8~7`nD+Rsc)eT>zg54DNPM3t+ZyFq9})* zT|He+AfH7|i^upY*vYV6o*n%$cn3mGA2Ajm;p0YbgAJ?=svu#Q`l zQH0^vudSzdk^bK^ld*A`_R4Gt;}&IwHpD$7nTvbEFM zZMKT#JYdg!to^f|Lae<#%ibZ&NI601lJ$vLiqne(O-pJ|8`Q*|Cf|mr9B% z>Fh;EISt*eV3F2KKilY-phd4b?7ZxH)p0X@YZP!ZTb0H1xmO)a&Hf(llBNy2K+(l1 z3|#wD1ItCjN~;+M*47Uzhs=Hi&mUl%@3i85Ox0o<|1XXuX4GDyd7P{R!2Y$}0J7`@ z02v+zkmP`)y(Hirr`MylHDHKJ&Yyw2i<{9w{ip=9x+Kt>>rg|dO_-xzC;i=K40X0r z5&WvAw||78da?4_;z-dw{}t5qQfSC_GyQOfM7G`B>*v#=?vf^3D}8Va42ZyV z$)IBieW6;ZCS|K*4GsMmxITZYt&B>yqu;%IZOwFX(6N@r_R20Jw0@VPj2>-9>&3l_ ziza^pykFevP)l4WhkI?SBShBS=%EgQlyzhB{YCWew>er%TsUWd9=B8F5Qa%w6usNo z4s;v&AC3i-9Kt-rKH{jRnV&k4uOCO3*BR2s>oC?UBcN+&zpa`&{=u<{x4Pp0fd1Y4 z(bl~PZO>SN<+AOLjojw?8QRuQ0`xEb$+3{Wx!ti$9Eh0Ms|=a3uzhx~ax>W*@b26& zSUNbV)X_uL%2qS>kLLEFZDh*UMVA+W8B1OR3JXI3K2xK7)Qn>cFV!eFSM>CbL*$Oo z*^tsj&yOjKsLiINV6=CPIUYga;_baKc^ZOJ;`U*6u2yx>~+mVGfT#K(E0(R2mI5kP$Yab<-5{&6U1)f3A8GM6ie?V#8b3NQXIeog77KYv1b zSbx0tNu{MSXTh>h0wcVn(77j-0g61KEGp{(O#QvhPbrVk%o8B^*H0-+>FZA^t}++g zM-P4EX{CpjKCQUTSfLzxMzPV~J`Lsl+|x=|6PqwpQ0mr4$JB!**fWsdx1Ls7JJ18i zvWy-%E8`zmrKL6A3DC!ZZm$QfL2tl{oFghpz1KOeqNpmP?u*XyF>tR7-@`KrquEUx zp1}P4`bkg)10<<(!swaK0AbG=rIBWzQY>b#kN(Y5uta}xMp?i_ZlW4McqyT<={(fX`D*fX`b* zfRENcp)8?2KXKI1`L8L>Wj=7IS4^pbO9<3WIIJ5>gd&DCz*vnvr7SV~oq`@S&h7%^ zCQ6)9HrM-sARKM>F0dWaco)5NM%mBC3thryzb8jr6TS8vjL=KZD2r@-DxjpdI@LVI1h@jfz zolUE|H0)s`sTEW`bm*6jO=i@uJ?yjrR)G25 zKygAX@t@z;3$;8=>JJ@{)3C=@!R?`+Htvz}9DV1@irWACM=(Yadz!|+q--e)VK|Ii zybwxy|5rp9XIiE#FuCdVI~^@%kC&1Ql?7(kEUkYBHrjX4vCoY1-g6H^*}iblwizAI zb=!yOzMGXQIvH`;NOjsX^!~e!hXvgm-mP3g&R;cl(fuy_CGqIce*`Now>v(4p)_vW zXsU&{aD7ZNja42!yuSQa$|P)GpzrP}UwvVH()PnL*f0pv@uwS3(R7ESo=P7nx6y`2 z%5QEGr{2UV(5Y-R7U_)Od>SuC4lSz$A{$HU;SN0X@FV5R$a|q|^2FcXU1f%U=nFNR zH={=S_1zVIVPWhQOJU3ojWjHw@JwkN{mYi}!+4-JmE8h&f$;ZS`D!zYi65RWT}6*| zIB@Xb6AgVAhI<_8QuzCuZX(k|rQ0vm2OQrv(Hl-jnm+zW$#ObfQ&CTU@kq%SeRrnR zO}&qn?5E-7c9oug6sV<=v-Dl1w2A7!Z?2=CKU(6U4_+;)qMIKpX`v-Al$O&yPc}4B z_L5npp-{t9G`FO(ie{c_a3NGUWUo+>H0_%#UrOe`D`}*+-?G=y*i`9ZvVE(37lN7! z3l3I&J!b7^_Ic^0WhEWFZ1_f%&)1DIigdS2%3=PyE{+H&u+W_^js@NR6s7WJ9491G zugzEDo^{a!2OS5R-Lqa1WG-8_Ozn?FlgXnm`Fdh4so7~L6jEV9X*qFCePQ3Yg|C4r>AR_<&-@}T zL-Ce0eeyq4?6dD)=~#Tz(&1BspSj;}GFOzAn(5~+D;wyQqn1|s+Ly{KboR%k3nG0( zL#o@;?e?ex?g9O5uQ*B@QIQ?s)*f}}j(!|Bh=*fYPVtGuRmj=mrU&?GzAQq#)~fEB z!RbK!3t>y>PGmJ_aZnF*^IhP!+Do7H64mZ=#tmsn(Jy?Rc$1f+ITdP?$8U2)MQG-Nm@Rs!B>9h*A6h5 z!q0SyZOzV5GHMi(02h>*V9z>?td=ib=rn zyV+=(??b`Vq;W|0#JT^DdX?>EwbZbp)=@qk3t>iS?;1_xlh?xVSKrDqp}Rg$PG*-4^Tpyj3tf&0uDyxg?GgYgCTD`bov+HxDRJ2 zb@mSOYy^!|lyMo4x>?RGzeR_?t+W-Y$%++4dIB1*P!y?wvFJe!To7s@4!!bu$loc` zEK(tLvRJC;qLWvbYwmp&!S0eGJzt^=s)HZH$~y@1kUFolbyxg zEqX?mbGhP91bOvVy!fstI63~|*Kn3;-W^eHneUY_`5GS9&4Gfu8$g9#ugZP0IqGtE zVCgp$a4U!5xbZ?CMcn!|r{7D!%>~y-72Gd{J!b;RzU@~wuP8c4d?byEY=&#TI&A##b_lz|f@yCJ&5q+2%Zsa04hQ1~rovdUt zpl?U3*dtC0is75so~1bQke;6%AiJ=Irr^odmgc$1$;q*JIvYt~4hMGLJ~6s`)9}E~ z(I5`5WpMUA8;!Jg;?NoXb-Fr&YVM4>*ys@+GsDMgbr7GC}m z``jcSv0(CK>Kl$6hfz2LISkV%Vjn;;HEUk6w*5g z=+F!`b2O=`;GOjJM>NDDl@YnCGfC&F8|@{NYA1bejb*W)<2oG)reA>2shdtEW^u&| zKgJF{s6swqIvW?;OBDKnviKH6H2l7X?IJA|ER3~a!)3LDPQG_i72t~CBaAG3$BlQ2 zIY>KBSKB%TIT(-#~;QHysd@Ri-Gd9W*bYN55%Wz~M{{jjypZ zSLfx55-&84P|F$%u6Vh8>P!F5a7@>dNbN3cs;NR;;Gb9${#ar-$D;h9pJ&VPPOyr_$JqL^#cY zZiLp5xPogxwkNi0N4V+-(u9~?4>Ix!f!K;w0>L~3M`#5}VJVu_3w^NQp>I_;R#!nm zIdX$yd|{1c!L$(j-%B?H3LGl$I+B11(rX&SN91H5P`P1eF^TXbV9tvv2m~`F`wxsCgXq+)N?JxFUxaD+3 z->KPrXL#ptfiYL}LJ`IJ;5V`7^ z$g3jUE=%(Gjl^Z`UX>|z%=P-Sc&$GsarSvg)@@98F-edB85B@K104)7Aqgq4APqKT zzyTK)APb9-o5th~T1G;fF}"] description = "Secure remote package management API for Linux systems" diff --git a/configs/linux-patch-api.service b/configs/linux-patch-api.service index 171ee54..fca12df 100644 --- a/configs/linux-patch-api.service +++ b/configs/linux-patch-api.service @@ -17,7 +17,6 @@ RuntimeDirectory=linux-patch-api RuntimeDirectoryMode=0755 # Security hardening -NoNewPrivileges=true # Allow reboot capability for scheduled reboots CapabilityBoundingSet=CAP_SYS_BOOT AmbientCapabilities=CAP_SYS_BOOT @@ -37,7 +36,7 @@ RestrictNamespaces=true LockPersonality=true MemoryDenyWriteExecute=false RestrictRealtime=true -RestrictSUIDSGID=true +# RestrictSUIDSGID removed - package management requires setuid/setgid for apt/dpkg RemoveIPC=true # System call filtering (whitelist approach) diff --git a/debian/changelog b/debian/changelog index 37a5aa0..68ef445 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +linux-patch-api (0.3.2-1) unstable; urgency=low + + * Fix package install: Remove sudo from apt commands (service runs as root) + * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl + * Fix patches handler: Call reboot_system() instead of just logging + * Remove NoNewPrivileges and RestrictSUIDSGID from systemd service + * Add CAP_SYS_BOOT capability to systemd service for LXC reboot support + * Fix dpkg packaging: Remove linux-patch-api user creation, fix directory ownership + + -- Echo Sat, 02 May 2026 21:25:00 -0500 linux-patch-api (0.3.1-1) unstable; urgency=low * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl diff --git a/src/packages/mod.rs b/src/packages/mod.rs index b3a712d..29180c3 100644 --- a/src/packages/mod.rs +++ b/src/packages/mod.rs @@ -98,18 +98,9 @@ impl AptBackend { /// Run apt command and capture output fn run_apt(&self, args: &[&str]) -> Result { - // Use sudo for operations that modify packages (install, upgrade, remove, purge) - let needs_sudo = args.first().is_some_and(|&cmd| { - matches!( - cmd, - "install" | "upgrade" | "remove" | "purge" | "dist-upgrade" | "autoremove" - ) - }); - let (program, cmd_args): (&str, Vec<&str>) = if needs_sudo { - ("sudo", ["apt"].iter().chain(args.iter()).copied().collect()) - } else { - ("apt", args.to_vec()) - }; + // Service runs as root - no sudo needed for apt commands + let program = "apt"; + let cmd_args: Vec<&str> = args.to_vec(); let output = Command::new(program) .args(&cmd_args)