Removes uid-owner restriction from apt iptables rules

[conorsch]

Status

Ready for review.

Description of Changes

Fixes #3952.

Under Trusty, apt calls run as the root user. Under Xenial, however, apt
calls run as the _apt user. We must ensure that the firewall rules
permit apt updates on both systems, before and after the upgrade from
Trusty to Xenial. We cannot add references to _apt under Trusty, since
the user doesn't exist in the passwd file, causing the iptables-restore
action to fail.

Let's simply remove the uid-owner restriction on the apt-specific
iptables rule. By this point in the iptables logic, non-whitelisted traffic
from both the debian-tor and www-data users hsa been dropped (via
jump to the LOGNDROP chain). As such, it's fine to loosen the
specificity of the iptables rules somewhat, in order to ensure a smooth
transition.

Testing

We need to cover a few different scenarios here for full coverage:

• Clean install of Trusty
• Clean install of Xenial
• Trusty -> Xenial upgrade

In all cases, the following should be true:

• Config tests pass (modulo PaX flags are unset during install time #3916 if running locally)
• sudo apt update works on both hosts

Note that sudo host apt.freedom.press can still pass whereas sudo apt update would be broken, so it's important to use the apt-update command during testing.

I haven't tested all these scenarios yet myself, but opening PR to invite more feedback and increase the changes we find something to fix early.

Deployment

Yes, we must make sure this change lands in prod prior to the Xenial upgrade, otherwise we run the risk of breaking future automatic updates.

Checklist

If you made changes to the server application code:

• Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

If you made changes to documentation:

• Doc linting (make docs-lint) passed locally

[kushaldas]

This PR is working as it should be, the only problem is that sometimes after installing the new debian package, the system is loosing the DNS ability. Not sure, why :(

[kushaldas]

This works :)

[conorsch]

the only problem is that sometimes after installing the new debian package, the system is loosing the DNS ability

Good flag, let's dig into that. What commands did you use to test? For example, sudo host freedom.press, sudo apt-get update, or something else? Trying to isolate whether it's related to the _apt user or happens system wide, even to the root user.

[kushaldas]

Good flag, let's dig into that. What commands did you use to test? For example, sudo host freedom.press, sudo apt-get update, or something else? Trying to isolate whether it's related to the _apt user or happens system wide, even to the root user.

Ah, now I can see that apt is still failing sudo apt-get update or any other apt command. sudo host freedom.press works.

[kushaldas]

$ sudo apt-get update
Err:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:2 http://archive.ubuntu.com/ubuntu xenial InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:5 https://tor-apt.freedom.press trusty InRelease
  Could not resolve host: tor-apt.freedom.press
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Failed to fetch https://tor-apt.freedom.press/dists/trusty/InRelease  Could not resolve host: tor-apt.freedom.press
W: Some index files failed to download. They have been ignored, or old ones used instead.

[conorsch]

Pushed up another change here, attempting to resolve the DNS behavior post-upgrade. @kushaldas take this change for a spin and let me know how it treats you?

[kushaldas]

@conorsch The latest push works. Though it helped to find a different problem, we do need a FPF tor-apt for xenial ready.

root@app-prod:~# cron-apt -i -s
CRON-APT RUN [/etc/cron-apt/config]: Fri Jan  4 09:45:16 UTC 2019
CRON-APT ACTION: 0-update
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 update -o quiet=2 -o Dir::Etc::SourceList=/etc/apt/security.list -o Dir::Etc::SourceParts=""
W: Invalid 'Date' entry in Release file /var/lib/apt/lists/tor-apt.freedom.press_dists_trusty_Release
CRON-APT ACTION: 1-remove
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 remove -y linux-image-generic-lts-xenial linux-image-.*generic -o quiet=2
E: Unable to locate package linux-image-generic-lts-xenial
Cannot start "/usr/sbin/sendmail": executable not found (adjust *sendmail* variable)
"/root/dead.letter" 9/406
... message not sent

[emkll]

Performed functional testing based on the test plan as follows:

Trusty -> Xenial (i.e. Trusty clean install)

I have tested the 'clean' install under Trusty, then doing an interactive upgrade to Xenial. The changes here seem to work as expected, both in Trusty and Xenial: apt traffic goes through the firewall, all tests pass.

Xenial clean install

The provisioning process in xenial from a clean install works as expected, apt traffic can go through the firewall, all test pass.

Trusty -> Trusty (this branch) -> Xenial

Apt traffic goes through the firewall.

[emkll]

Given passwordless sudo, I think this a reasonable stopgap to ensure smooth migration to Xenial: having uid-owner set to root during the upgrade will break the upgrade process. Default action for OUTPUT chain appears to be DROP, not LOGNDROP as stated in commit message.

We should strongly consider revisiting these rules (e.g. set -m owner --uid-owner _apt) after we migrate to Xenial, since we also lock down iptables rules per user for tor, ntp and ssh (perhaps as part of the upgrade playbook?)

I'll let @kushaldas complete his review, to ensure this PR gets the careful review it needs, and resolve postinst conflicts, otherwise 👍 from me

[conorsch]

Rebased on latest develop (66e3607) to resolve conflicts. @kushaldas , please review and let me know if you find any problems.

[kushaldas]

I tried the PR manually, a full scale upgrade to xenial failed due to other reasons.

This PR works as intended.

[conorsch]

Thanks for re-review, @kushaldas!