[Bug 1727614] Re: Directory package-data-downloads/partial should belong to user _apt
Steve Langasek
steve.langasek at canonical.com
Wed Nov 1 22:44:41 UTC 2017
*** This bug is a duplicate of bug 1522675 ***
https://bugs.launchpad.net/bugs/1522675
** This bug has been marked a duplicate of bug 1522675
Warning messages about unsandboxed downloads
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1727614
Title:
Directory package-data-downloads/partial should belong to user _apt
Status in update-notifier package in Ubuntu:
New
Bug description:
For several versions now, apt has introduced a system user named _apt.
When downloading files, it tries to switch to this user in order to
limit the attack surface; downloading files as root is quite simply
dangerous. If the user _apt cannot write to the target directory, then
apt remains root, does the download just fine, but prints an ominous
warning.
Package update-notifier has such a directory, used to handle package
data downloads (Flash, Microsoft Core Fonts, etc.). Currently, the
ominous warning is printed every time those files are downloaded using
command-line apt or aptitude. (Which in the case of Flash, is quite
often.)
Doing a chmod _apt /var/lib/update-notifier/package-data-
downloads/partial should solve the issue and improve security.
However, since the _apt user is created in postinst, it receives a
different user id on each system, so the chmod should be done in
postinst.
Ubuntu release: 16.04
Source package: update-notifier
Package version: 3.168.5
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1727614/+subscriptions
More information about the foundations-bugs
mailing list