summaryrefslogtreecommitdiffstats
path: root/apt/share
diff options
context:
space:
mode:
Diffstat (limited to 'apt/share')
-rw-r--r--apt/share/man/Makefile59
-rw-r--r--apt/share/man/apt-install.1.rst123
-rw-r--r--apt/share/man/man.in19
3 files changed, 201 insertions, 0 deletions
diff --git a/apt/share/man/Makefile b/apt/share/man/Makefile
new file mode 100644
index 0000000..a6d6bf2
--- /dev/null
+++ b/apt/share/man/Makefile
@@ -0,0 +1,59 @@
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+# Depends: python3-docutils
+
+RST2MAN = rst2man \
+ --no-datestamp \
+ --no-generator \
+ --strict \
+ --strip-comments \
+ --tab-width=4 \
+ --verbose
+
+VERSION := $(shell cat ../../../VERSION.txt)
+
+SHELL := sh -e
+
+all: build
+
+build: man
+
+man: man.in *.rst
+ @echo -n "Creating manpages... "
+
+ @for FILE in *.rst; \
+ do \
+ cp man.in $$(basename $${FILE} .rst); \
+ $(RST2MAN) $${FILE} | \
+ sed -e '/^.\\" Man page generated/d' \
+ -e '/^.\\" Generated by/d' \
+ -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \
+ >> $$(basename $${FILE} .rst); \
+ echo -n "."; \
+ done
+
+ @echo " done."
+
+clean:
+ rm -f *.[0-9]
+
+distclean: clean
+
+rebuild: clean build
diff --git a/apt/share/man/apt-install.1.rst b/apt/share/man/apt-install.1.rst
new file mode 100644
index 0000000..f446ea9
--- /dev/null
+++ b/apt/share/man/apt-install.1.rst
@@ -0,0 +1,123 @@
+.. Open Infrastructure: service-tools
+
+.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+..
+.. SPDX-License-Identifier: GPL-3.0+
+..
+.. This program is free software: you can redistribute it and/or modify
+.. it under the terms of the GNU General Public License as published by
+.. the Free Software Foundation, either version 3 of the License, or
+.. (at your option) any later version.
+..
+.. This program is distributed in the hope that it will be useful,
+.. but WITHOUT ANY WARRANTY; without even the implied warranty of
+.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.. GNU General Public License for more details.
+..
+.. You should have received a copy of the GNU General Public License
+.. along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+===========
+apt-install
+===========
+
+------------------------------------------------------------------------
+securely allow unprivileged users to install packages via apt using sudo
+------------------------------------------------------------------------
+
+:manual section: 1
+:manual group: Open Infrastructure
+
+Synopsis
+========
+
+| **sudo apt-install** PACKAGE
+| **sudo apt-install** PACKAGE1 PACKAGE2 ...
+
+Description
+===========
+
+**apt-install** securely allows unprivileged users to install packages via apt using sudo.
+
+Some background information
+===========================
+
+| **Use case**
+| On managed systems by a group of system administrators, it would be nice to allow
+| unprivileged users to install the packages they like from the pre-configured
+| Debian repositories.
+|
+| **Unsecure via sudo**
+| Traditionally this has been done by granting the unprivileged users to run
+| sudo with e.g.:
+| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get"
+| (see sudoers(5) for information about sudoers, the configuration file for sudo).
+|
+| **Using local apt configuration**
+| Using sudo as above allows for custom apt options to be passed as arguments, e.g.:
+| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh"
+|
+| Or refering to local apt configuration file:
+| sudo APT_CONFIG=~/apt.conf apt update
+|
+| **Installing local debian packages**
+| Unfortunatly this allows to not just install packages from the repositories,
+| but also to install local packages:
+| sudo apt install ./root-shell.deb
+|
+| Creating a Debian package that contains a wrapper for a root shell or invokes
+| a shell as root during within the maintainer scripts is left to the reader,
+| however, there's a example available here:
+| https://git.open-infrastructure.net/software/root-shell/
+
+| **Using wrapper scripts for apt install and apt remove**
+| The apt-install and apt-remove wrapper drop parameters as well as file and path
+| arguments to ensure only packages from the configured Debian repositories can be
+| installed.
+
+sudo configuration
+==================
+
+| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5):
+| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove"
+
+| It might make sense to also allow unprivileged users to allow updating the system:
+| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade"
+
+Warning
+=======
+
+| Granting users local access to a system is always a security risk.
+| Giving local users the ability to install packages even more so.
+
+| While the apt-install and apt-remove wrappers do prevent installing malicious packages,
+| bugs in any of the packages within the configured Debian repositories can be exploited.
+
+See also
+========
+
+| apt(8),
+| sudo(8),
+| sudoers(5)
+
+Homepage
+========
+
+More information about service-tools and the Open Infrastructure project can be
+found on the homepage (https://open-infrastructure.net).
+
+Contact
+=======
+
+Bug reports, feature requests, help, patches, support and everything else are
+welcome on the Open Infrastructure Software Mailing List
+<software@lists.open-infrastructure.net>.
+
+Debian specific bugs can also be reported in the Debian Bug Tracking System
+(https://bugs.debian.org).
+
+Authors
+=======
+
+service-tools were written by Daniel Baumann
+<daniel.baumann@open-infrastructure.net> and others.
diff --git a/apt/share/man/man.in b/apt/share/man/man.in
new file mode 100644
index 0000000..f95ca67
--- /dev/null
+++ b/apt/share/man/man.in
@@ -0,0 +1,19 @@
+.\" Open Infrastructure: service-tools
+.\"
+.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+.\"
+.\" SPDX-License-Identifier: GPL-3.0+
+.\"
+.\" This program is free software: you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <https://www.gnu.org/licenses/>.
+.\"