fix: remove sudo from apt commands and RestrictSUIDSGID from service

- Remove sudo from apt command execution (service runs as root) - Remove RestrictSUIDSGID from systemd service (blocks setuid for apt/dpkg) - Remove NoNewPrivileges from systemd service (blocks sudo PERM_SUDOERS) - Bump version to 0.3.2
2026-05-03 02:24:52 +00:00
parent 2b35a143da
commit 9e42f32270
6 changed files with 16 additions and 16 deletions
--- a/.a0proj/audit.db
+++ b/.a0proj/audit.db
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1859,7 +1859,7 @@ dependencies = [
 [[package]]
 name = "linux-patch-api"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
 "actix",
 "actix-rt",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "0.3.1"
+version = "0.3.2"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"
--- a/configs/linux-patch-api.service
+++ b/configs/linux-patch-api.service
@ -17,7 +17,6 @@ RuntimeDirectory=linux-patch-api
 RuntimeDirectoryMode=0755
 # Security hardening
 NoNewPrivileges=true
 # Allow reboot capability for scheduled reboots
 CapabilityBoundingSet=CAP_SYS_BOOT
 AmbientCapabilities=CAP_SYS_BOOT
@ -37,7 +36,7 @@ RestrictNamespaces=true
 LockPersonality=true
 MemoryDenyWriteExecute=false
 RestrictRealtime=true
-RestrictSUIDSGID=true
+# RestrictSUIDSGID removed - package management requires setuid/setgid for apt/dpkg
 RemoveIPC=true
 # System call filtering (whitelist approach)
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,13 @@
 linux-patch-api (0.3.2-1) unstable; urgency=low
  * Fix package install: Remove sudo from apt commands (service runs as root)
  * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
  * Fix patches handler: Call reboot_system() instead of just logging
  * Remove NoNewPrivileges and RestrictSUIDSGID from systemd service
  * Add CAP_SYS_BOOT capability to systemd service for LXC reboot support
  * Fix dpkg packaging: Remove linux-patch-api user creation, fix directory ownership
 -- Echo <echo@moon-dragon.us>  Sat, 02 May 2026 21:25:00 -0500
 linux-patch-api (0.3.1-1) unstable; urgency=low
  * Fix reboot endpoint: Implement actual system reboot via shutdown/systemctl
--- a/src/packages/mod.rs
+++ b/src/packages/mod.rs
@ -98,18 +98,9 @@ impl AptBackend {
    /// Run apt command and capture output
    fn run_apt(&self, args: &[&str]) -> Result<String> {
-        // Use sudo for operations that modify packages (install, upgrade, remove, purge)
+        // Service runs as root - no sudo needed for apt commands
-        let needs_sudo = args.first().is_some_and(|&cmd| {
+        let program = "apt";
-            matches!(
+        let cmd_args: Vec<&str> = args.to_vec();
                cmd,
                "install" | "upgrade" | "remove" | "purge" | "dist-upgrade" | "autoremove"
            )
        });
        let (program, cmd_args): (&str, Vec<&str>) = if needs_sudo {
            ("sudo", ["apt"].iter().chain(args.iter()).copied().collect())
        } else {
            ("apt", args.to_vec())
        };
        let output = Command::new(program)
            .args(&cmd_args)