I need to completely remove any methods for making changes to my system. Is there a way to remove apt-get and dpkg? Is it possible to also disallow changing executable bit to any files copied into my system? Can this be done with a mask?
Asked
Active
Viewed 559 times
-1
2 Answers
5
You could remove the execute bit from apt-get and dpkg;
chmod -x $(which apt-get)
chmod -x $(which dpkg)
Be aware that this will disable updates. Also, you could mount the drive read-only.
Elliott Frisch
- 3,018
0
I think with the advent of functional "micro" deployments using LXC and Docker that this might become increasingly relevant.
I can think of reasons why I would create a bash environment in a container, put utilities in it that require to be run as root, make a variety of devices available to the container by having it launch in privileged mode, but NOT want the user of that container to add any new software.
With the layered revisions of containers - then "once removed you can't go back" is not true. I can iterate on my docker utility container - but deliver it in "final" form.
USE AT YOUR OWN RISK (and I wouldn't recommend this other than in docker style work): At least in Precise you can apt-get remove apt leading to this interaction below:
apt-get remove apt
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
apt ubuntu-minimal
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
apt
0 upgraded, 0 newly installed, 2 to remove and 57 not upgraded.
After this operation, 3300 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
?] Yes, do as I say!
(now of course if scp or other file transfer programs are available to the container, someone can fiddle this all back in.)
sudo. – saiarcot895 Mar 14 '14 at 13:25