Ubuntu
update-notifier package

Directory package-data-downloads/partial should belong to user _apt

Bug #1727614 reported by Adrien Beau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
New
Undecided
Unassigned

Bug Description

For several versions now, apt has introduced a system user named _apt. When downloading files, it tries to switch to this user in order to limit the attack surface; downloading files as root is quite simply dangerous. If the user _apt cannot write to the target directory, then apt remains root, does the download just fine, but prints an ominous warning.

Package update-notifier has such a directory, used to handle package data downloads (Flash, Microsoft Core Fonts, etc.). Currently, the ominous warning is printed every time those files are downloaded using command-line apt or aptitude. (Which in the case of Flash, is quite often.)

Doing a chmod _apt /var/lib/update-notifier/package-data-downloads/partial should solve the issue and improve security. However, since the _apt user is created in postinst, it receives a different user id on each system, so the chmod should be done in postinst.

Ubuntu release: 16.04
Source package: update-notifier
Package version: 3.168.5

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.