Ubuntu
update-notifier package

Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Bug #1570141 reported by Fabio C. Barrionuevo
342
This bug affects 76 people
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

ttf-mscorefonts-installer require additional download from external server (non deb package), but download not completed because have the error:

Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: update-notifier-common 3.168
Uname: Linux 4.5.0-040500-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu1
Architecture: amd64
Date: Wed Apr 13 20:45:36 2016
ExecutablePath: /usr/lib/update-notifier/package-data-downloader
InstallationDate: Installed on 2016-04-10 (3 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Beta amd64 (20160408)
InterpreterPath: /usr/bin/python3.5
PackageArchitecture: all
ProcEnviron:
 SHELL=/bin/bash
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=pt_BR.UTF-8
 LANGUAGE=pt_BR:pt:en
SourcePackage: update-notifier
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Fabio C. Barrionuevo (luzfcb) wrote :
Revision history for this message
Fabio C. Barrionuevo (luzfcb) wrote :

related: https://bugs.launchpad.net/ubuntu/+source/pepperflashplugin-nonfree/+bug/1551511

Revision history for this message
Fabio C. Barrionuevo (luzfcb) wrote :

fabio@luzfcb:~$ ls -dl /var/cache/apt/archives/partial/
drwx------ 2 _apt root 4096 Abr 11 21:13 /var/cache/apt/archives/partial/
fabio@luzfcb:~$ ls -dl /var/cache/apt/archives/
drwxr-xr-x 4 root root 28672 Abr 13 19:57 /var/cache/apt/archives/

Revision history for this message
Steve Langasek (vorlon) wrote :

This message shows up frequently in xenial, but does not necessarily mean that the operation has failed. Can you please show a complete log or cron mail showing the context of this message?

Changed in update-notifier (Ubuntu):
status: New → Incomplete
Revision history for this message
Fabio C. Barrionuevo (luzfcb) wrote :

video with full execution

Revision history for this message
Fabio C. Barrionuevo (luzfcb) wrote :

Steve Langasek (vorlon) , i record the terminal session and show the errors, please, see https://asciinema.org/a/42785

Revision history for this message
Marius Gedminas (mgedmin) wrote :

Also happens for adobe-flashplugin updates. Full cron mail output:

/etc/cron.daily/logrotate:
gzip: stdin: file size changed while zipping
/etc/cron.daily/pov-simple-backup:
tar: root/.gnupg/S.gpg-agent: socket ignored
/etc/cron.daily/update-notifier-common:
N: Ignoring file '50unattended-upgrades.ucf-dist' in directory '/etc/apt/apt.conf.d/' as it has an invalid filename extension
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz [27.0 MB]
Fetched 27.0 MB in 1s (16.4 MB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz'
couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz
Flash Plugin installed.

ls -ld /var/lib/update-notifier/package-data-downloads/partial/
drwxr-xr-x 2 root root 4096 Apr 24 07:38 /var/lib/update-notifier/package-data-downloads/partial/

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

I get the warning (in yakkety) when installing flashplugin-installer (see attached file). OTOH it's followed by:

Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz
Flash Plugin installed.
Setting up flashplugin-installer (11.2.202.616ubuntu5) ...

So Steve is probably right; the operation seems to succeed.

Nevertheless, the warning message is an annoyance, and a fix which prevents it from popping up is highly desirable IMO.

(is the affected package possibly apt?)

Changed in update-notifier (Ubuntu):
importance: Undecided → Medium
status: Incomplete → Confirmed
Revision history for this message
ceph3us (ceph3us) wrote :

sudo adduser --force-badname --system --home /nonexistent --no-create-home --quiet _apt || true
sudo chown _apt /var/lib/update-notifier/package-data-downloads/partial/

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

On 2016-05-03 07:08, ceph3us wrote:
> sudo adduser --force-badname --system --home /nonexistent
> --no-create-home --quiet _apt || true
> sudo chown _apt
> /var/lib/update-notifier/package-data-downloads/partial/

Nope. The user _apt already exists for me, and I already tried chown() to no avail.

Revision history for this message
Julian Andres Klode (juliank) wrote :

APT is not the cause of the issue (for some definition of cause). We switched to running the fetcher processes as an unpriviliged user last year in order to increase security. Client apps/directories need to be adjusted for that to work.

Revision history for this message
Julian Andres Klode (juliank) wrote :

The message is just a friendly warning for you that APT fetcher processes does not run in full security mode, so a potential bug in e.g. our http parser could be exploited to run code as root.

Revision history for this message
Robert Pollak (robert-pollak) wrote :

How is this related to bug #1537512?

Revision history for this message
ALinuxUser (buntulongername-new) wrote :

> The message is just a friendly warning

Well, it doesn't *look* that friendly. Perhaps reformulation of the message is in order?

Revision history for this message
ALinuxUser (buntulongername-new) wrote :

But perhaps the message will be changed upstream, at Debian. (See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813786.)

Revision history for this message
bruce d. (ubetcha) wrote :

If this is a bug that could provide root hacking I would think it would be a higher priority;anyway,after multiple efforts of deleting the installer and reloaduing it, I still get the message "Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
and the terminal process goes on to another site and hangs. wouldn't mind so much except keep getting the message about how extra data files didn't get dloaded.

Revision history for this message
MP (pagel-d) wrote :

This works for me, YMMV

$ sudo chown _apt:root /var/lib/update-notifier/package-data-downloads/partial/

$ sudo rm /var/lib/update-notifier/package-data-downloads/partial/*.FAILED

$ sudo apt install --reinstall update-notifier-common

Revision history for this message
Marcel Molendijk (mmolendijk) wrote :

@ MP; works for me, too!
Had to re-do the process several times and I changed this: "sudo rm /var/lib/update-notifier/package-data-downloads/partial/*.FAILED" to this "sudo rm /var/lib/update-notifier/package-data-downloads/partial/*.*". Did the last two commands several times and in the end the installation finished without errors. The only thing that was different in the last run, when it completed, was a dialog window telling me that the download of *something*-corefonts-installer had failed. (?!?!@) But I let this window during the terminal process and it completed. After that canceled the dialog window.

Anyway, thanks!

Revision history for this message
MP (pagel-d) wrote :

$ sudo chown -R _apt:root /var/lib/update-notifier/package-data-downloads/partial/
(note the addition of the -R flag)

in the top line should address the need to remove all files from partial (and maybe even the FAILED files), as _apt should have access to remove or overwrite those files.

I'm not sure why you would have to reinstall update-notifier-common more than once though, assuming all rights are appropriately in place. Maybe your internet connection timed out or checksums didn't match properly in the downloaded packages? Glad you got it working though.

Revision history for this message
Alaric Dailey (alaricd) wrote :

This block from ceph3us got me past the initial problem

"sudo adduser --force-badname --system --home /nonexistent --no-create-home --quiet _apt || true
sudo chown _apt /var/lib/update-notifier/package-data-downloads/partial/"

However, now it won't download the fonts, I am getting connection refused, and 404 errors. I am sure it doesn't help that the url has a space in it "the fonts" this should really be URL encoded

 Failed to fetch https://pilotfiber.dl.sourceforge.net/project/corefonts/the fonts/final/andale32.exe

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

@Alaricd: That's bug #1607535.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.