Warning messages about unsandboxed downloads

Bug #1522675 reported by dino99 on 2015-12-04
862
This bug affects 368 people
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Low
Unassigned
aptitude (Debian)
Fix Released
Unknown
aptitude (Ubuntu)
Undecided
Unassigned
synaptic (Debian)
New
Unknown
synaptic (Ubuntu)
Medium
Unassigned
update-notifier (Ubuntu)
Medium
Julian Andres Klode

Bug Description

Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but now get that error when installing/upgrading some packages:

Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
Processing triggers for libc-bin (2.21-0ubuntu5) ...
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

From nautilus, i'm seeing a /root/ folder locked (x on its icon) and the folder is empty (no /.synaptic/ sub-folder or file), so the above error.

oem@u64:~$ ls -l .synaptic
total 4
-rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
-rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf

oem@u64:~$ ls -l /var/lib/apt/lists/
....
-rw-r----- 1 root root 0 Sep 20 06:36 lock
drwx------ 2 _apt root 16384 Sep 24 15:25 partial
......

oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
.....
drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: synaptic 0.82+build1
ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
Uname: Linux 4.3.0-1-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.19.2-0ubuntu8
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Dec 4 05:23:25 2015
SourcePackage: synaptic
UpgradeStatus: No upgrade log present (probably fresh install)

dino99 (9d9) wrote :
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in synaptic (Ubuntu):
status: New → Confirmed
Changed in synaptic (Ubuntu):
importance: Undecided → High
importance: High → Medium
Tsu Jan (tsujan2000) wrote :

On Debian I get messages like this when the download process is completed:

W: Can't drop privileges for downloading as file '/var/cache/apt/archives/partial/PACKAGE' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

However, after I close the dialog, I can update the packages. Of course PACKAGE isn't there after it's downloaded completely. Why Synaptic searches for it in that folder, I don't know.

dino99 (9d9) wrote :

synaptic 0.82.5 does not solve that issue

Tsu Jan (tsujan2000) wrote :

On Debian, this issue is fixed by apt-1.2, although another irrelevant message is shown now:

The method driver /usr/lib/apt/methods/https could not be found.

dino99 (9d9) wrote :

Thanks Tsu

so many changes recently with the apt package !!!
http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.2.1_changelog

Tsu Jan (tsujan2000) wrote :

I was wrong: the problem still persists with apt-1.2 :( It showed up again the second time I used Synaptic after the upgrade.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
importance: Undecided → Critical
Changed in synaptic (Ubuntu):
importance: Medium → Critical

@ddino99: The link u provided seems to be broken, so look at this:
https://launchpad.net/ubuntu/xenial/+source/apt/+changelog

And , yes, thats impressive!

dino99 (9d9) wrote :

Debian have upgrade the package; so the link above is indeed dead. Hereis the full actual changelog (more complete than the launchpad changelog)
http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.2.3_changelog

Changed in synaptic (Ubuntu):
status: Confirmed → Invalid
Brian Murray (brian-murray) wrote :

I was unable to recreate this given the situation described:

 $ sudo mv /root/.synaptic /root/synaptic
[ 3:56PM 10261 ] [ bdmurray@impulse:~/Documents/gtd ]
 $ sudo apt-get install --reinstall libc-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.3.0-7 linux-headers-4.3.0-7-generic linux-image-4.3.0-7-generic linux-image-extra-4.3.0-7-generic linux-tools-4.3.0-7 linux-tools-4.3.0-7-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 207 not upgraded.
Need to get 0 B/1,172 kB of archives.
After this operation, 0 B of additional disk space will be used.
Sorry, your system lacks support for the snapshot feature
(Reading database ... 909633 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.21-0ubuntu5_amd64.deb ...
Unpacking libc-bin (2.21-0ubuntu5) over (2.21-0ubuntu5) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libc-bin (2.21-0ubuntu5) ...

Changed in apt (Ubuntu):
importance: Critical → Medium
dino99 (9d9) wrote :

@Brian

This is still happening on that fresh wily dist-upgraded to xenial, even with the latest apt 1.2.3 and gcc 5.3.1-1

Processing triggers for libc-bin (2.21-0ubuntu6) ...
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

The main issue sems to be that .root folder LOCKED, that disable to subfolder creation.

Is that locked .root folder expected ?

Tigerboy (tigersands) wrote :

W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

following what appears to be the successful install of package xicc 0.2-3

fully upgraded 16.04

Tigerboy (tigersands) wrote :

Additionally:
/root/.synaptic/tmp does exist and it is owned by root with permissions 0700

The /root/.synaptic/tmp folder is empty

Tigerboy (tigersands) wrote :

dpkg.log:

2016-02-27 23:23:37 install xicc:amd64 <none> 0.2-3
2016-02-27 23:23:37 status half-installed xicc:amd64 0.2-3
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 startup packages configure
2016-02-27 23:23:37 configure xicc:amd64 0.2-3 <none>
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 status half-configured xicc:amd64 0.2-3
2016-02-27 23:23:37 status installed xicc:amd64 0.2-3
2016-02-27 23:23:38 startup packages configure

xicc shows as being fully installed & dpkg is fully operational.

Julian Andres Klode (juliank) wrote :

There is no bug in APT here. There is not even an error. It's a warning. In any case, this is synaptics fault, as that defines where to download the changelog instead of using APT's changelog code.

Changed in apt (Ubuntu):
status: Confirmed → Invalid
Adolfo Jayme (fitojb) on 2016-03-09
Changed in synaptic (Ubuntu):
status: Invalid → Triaged
importance: Critical → Low
Luis Ferro (luis-ferro) wrote :

Then i suppose that a new bug is entered into synaptics and linked to this bug so that users affected by this can see that it is being handled insted of "ignored" by a invalid / triaged status?

Just tested on the "release" version of xenial and it still happens.

Travisgevans (travisgevans) wrote :

For the Synaptic message complaining about /var/cache/apt/archives/partial, setting the owner of that directory to _apt seems to avoid it, based on my tests in a VirtualBox VM of Wily upgraded to Xenial.

I haven't (yet) encountered an error complaining about /root/.synaptic/[…]. It seems really bizarre that it would insist on some system user being able to access something in root's home directory.

dino99 (9d9) on 2016-04-25
summary: - /root/.synaptic/ not created
+ /root/.synaptic/ not created due to locking status

I had this message a few times within the past few days of upgrading to Ubuntu 16.04, fresh, from Ubuntu 12.04.

I had this message about a half hour ago while installing apport.

- Blossom

Changed in synaptic (Ubuntu):
status: Triaged → Confirmed
Changed in synaptic (Debian):
status: Unknown → New
Travisgevans (travisgevans) wrote :

I just now found a very similar message from the update-notifier cronjob:

/etc/cron.daily/update-notifier-common:
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz [27.0 MB]
Fetched 27.0 MB in 1min 11s (378 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz
Flash Plugin installed.

So, apparently not unique to Synaptic?

Brian Murray (brian-murray) wrote :

The update-notifier-common message is unrelated to this bug and is only a warning (notice the W:) and the flash plugin is still installed.

Gil Gamesh (gamesh-g) wrote :

It's correct that it's a warning, but it is presented as an error. I get a pop-up window that says "An error occurred".

I guess this is potentially a different bug as I see the same thing with a warning about a weak digest algorithm similarly being presented as an error.

After exiting from Synaptic, is it expected for the file /var/cache/apt/archives/lock to be still there?

randolf (wolle321) wrote :

Have this problem too, since I updated from 15.10 to 16.04.
Synaptic is not running, but the lock -file is still there:

randolf@ART-LT16:~$ ps aux | grep synaptic
randolf 14314 0.0 0.0 15796 1024 pts/4 S+ 10:47 0:00 grep --color=auto synaptic
randolf@ART-LT16:~$ ll /var/cache/apt/archives/lock
-rw-r----- 1 root root 0 Okt 21 2015 /var/cache/apt/archives/lock

Hope this helps, randolf

Is the system missing a user called _apt ?

Was it forgotten to create one?

Is this warning serious or can/should it be silenced?

Who corrupted my system? Can we still trust the system or should we just install another distro, which doesn't suffer such?

Looks in any case quite messy AND it's an upgrade-regression.

tags: added: upgrade-regression
tags: added: regression
removed: upgrade-regression
tags: added: regression-update
removed: regression
dino99 (9d9) on 2016-07-11
tags: added: yakkety
dino99 (9d9) wrote :

This also happen on Yakkety with synaptic, but only once after opening a session (gnome-shell 64 bits); After that first 'upgrade' that ends with this warning, the next upgrades, inside the opened session, do not warns. This has no sad effects on upgrading, so it could be silenced.

Kim Tucker (ktucker) wrote :

In case useful, I have just done a fresh install of Xenial, followed by 'sudo apt-get install synaptic'. The following error arose when trying to install blubuntu-theme and blubuntu-wallpapers
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_sh' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied).
After completely removing via synaptic, it installed fine with apt-get.

Bill Miller (wbmilleriii) wrote :

It's not just synaptic. Happens with aptitude as well. I suspect it's a new requirement for a user named '_apt' which doesn't exist (because it wasn't added).

Deleted (noone1) wrote :

Is there a fix for this yet? It's still happening on Ubuntu 16.04 with all updates as of 07/24/2016.

Tsu Jan (tsujan2000) wrote :

Cleaning up Firefox bookmarks, I encountered this report again. Apparently, apt developers don't want to see this as a bug, so don't wait for a fix! To get rid of that annoying message, you should have an `_apt` user (which probably you have) and change the owner of the folder in question from `root:root` to `_apt:root`.

I'm on Debian and the above trick worked here months ago.

feroz (ferozkhan27) wrote :

Yet, anyone find out any workaround for this?

feroz (ferozkhan27) wrote :

ended up using 15.10.

dino99 (9d9) on 2016-09-15
description: updated
description: updated
summary: - /root/.synaptic/ not created due to locking status
+ Can't drop privileges for downloading : _apt user not created
no longer affects: synaptic (Ubuntu)
no longer affects: apt (Ubuntu)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dpkg (Ubuntu):
status: New → Confirmed
dino99 (9d9) on 2016-09-16
description: updated
summary: - Can't drop privileges for downloading : _apt user not created
+ Can't drop privileges for downloading : _apt user not allowed
Changed in dpkg (Ubuntu):
importance: Undecided → Critical
importance: Critical → Medium

@juliank (#16)

Michael Vogt has a different opinion that yours, so blaming apt again

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808802
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808802#20
"This is a bug indeed, the question is how it got triggered, that dir
should be owend by the _apt user."

oem@u64:~$ ls -dl /var/cache/apt/archives/partial/
drwx------ 2 _apt root 4096 Sep 24 05:26 /var/cache/apt/archives/partial/
oem@u64:~$ grep -B2 _apt /var/lib/dpkg/info/apt.postinst
 # add unprivileged user for the apt methods
 adduser --force-badname --system --home /nonexistent \
     --no-create-home --quiet _apt || true

 # Fixup any mistake in the home directory of the _apt user
 if dpkg --compare-versions "$2" lt-nl 1.1~exp10~; then
     usermod --home /nonexistent _apt

dino99 (9d9) wrote :

For the record, an other case has been fixed about _apt sandboxing

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806406

oem@u64:~$ getent passwd
.....
_apt:x:123:65534::/nonexistent:/bin/false

dino99 (9d9) on 2016-09-24
description: updated
Julian Andres Klode (juliank) wrote :

Michael and I don't have any different opinion here at all. You are complaining about root/.synaptic/tmp//tmp_cl - which is owned by synaptics - not about the /var/cache/apt/archives/partial or another apt owned directory.

A directory inside your (well, root's) home directory is a different case altogether: It *should* be owned by you, not by _apt.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
importance: Undecided → Medium
chris pollock (cpollock) wrote :

Wow, this is still going on after more than 10 months

/etc/cron.daily/update-notifier-common:
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz [27.2 MB]
Fetched 27.2 MB in 23s (1,179 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz
Flash Plugin installed.

Evan Carroll (evancarroll) wrote :

Also getting this, re: @Chris Pollock on the same package which is now required with the deprecation and removal of pepperflash on Oct 26.

Pablo Catalina (xkill) wrote :
Download full text (6.5 KiB)

I have similar problem with flashplugin-installer and ttf-mscorefonts-installer packages:

flashplugin-installer: processing...
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz [27,2 MB]
Fetched 27,2 MB in 25s (1.085 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz
Flash Plugin installed.
ttf-mscorefonts-installer: processing...
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/andale32.exe
Get:1 http://downloads.sourceforge.net/corefonts/andale32.exe [198 kB]
Fetched 198 kB in 2s (96,3 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arial32.exe
Get:1 http://downloads.sourceforge.net/corefonts/arial32.exe [554 kB]
Fetched 554 kB in 2s (248 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arial32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arialb32.exe
Get:1 http://downloads.sourceforge.net/corefonts/arialb32.exe [168 kB]
Fetched 168 kB in 2s (71,9 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arialb32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/comic32.exe
Get:1 http://downloads.sourceforge.net/corefonts/comic32.exe [246 kB]
Fetched 246 kB in 2s (95,3 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/comic32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/courie32.exe
Get:1 http://downloads.sourceforge.net/corefonts/courie32.exe [646 kB]
Fetched 646 kB in 2s (273 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier...

Read more...

Evan Carroll (evancarroll) wrote :

So the deal for the flash users, is we're not supposed to be using flashplugin-installer. That's dead. Follow these instructions here: http://askubuntu.com/a/845328/29097

On Mon, Nov 07, 2016 at 12:19:58AM -0000, Evan Carroll wrote:
> So the deal for the flash users, is we're not supposed to be using
> flashplugin-installer. That's dead.

No, it isn't. The referenced link says that it is no longer supported by
Chrome, but that doesn't mean flashplugin-installer is dead. The plugin
works with firefox; the flashplugin-installer package successfully downloads
the file and the warning message mentioned in this bug report is just a
warning.

Check to see if you have an _apt user:

cat /etc/passwd | grep apt

_apt:x:105:65534::/nonexistent:/bin/false

If you do, no need to add the user. Otherwise,

adduser --force-badname --system --home /nonexistent --no-create-home --quiet _apt || true

I haven't verified that it creates precisely the user necessary. If I remember correctly, /bin/false means no shell access so make sure the user created does in fact have /bin/false in passwd. Also it has no group (65534). That is it really.

Finally check the directory situation:

ls -la /var/lib/update-notifier/package-data-downloads/

drwxr-xr-x 2 _apt root 4096 Nov 9 10:23 partial

As you can see "_apt" is properly listed as the owner. If not,

sudo chown _apt /var/lib/update-notifier/package-data-downloads/partial/

My system already had an _apt user, but did not have proper directory permissions. At least, I have to assume that this is a proper fix. If not, somebody more knowledgeable should be speaking up and sorting this out...

Paul White (paulw2u) on 2016-11-17
tags: added: zesty
Morgan Grobin (morgangrobin) wrote :

I got this bug trying to download the linux source, fixed it with the following line (which was posted in this bug's duplicate thread):

sudo chown _apt /var/lib/update-notifier/package-data-downloads/partial/

wilhelm (mondfahrer) wrote :

I only had that whily trying to install ttf-mscorefonts-installer
The problem appeared after upgrading from 15.10 gnome-ubuntu flavour to its 16.04 LTS version (amd64)

I solved the problem by downloading (manually) the 3.6 version of ttf-mscorefonts-installer from debian
(https://packages.debian.org/de/sid/all/ttf-mscorefonts-installer/download). installing that package with gnome's software center (and probably also ubuntu's software center) works perfectly.

Probably this is a workaround and not a solution

Changed in apt (Debian):
status: Unknown → New
Rochvellon (rochvellon) wrote :

Same here. Installing the paket from Debian is only a workaround.

Benjamin ABEL (bjn-abel) wrote :

It seems that this bug id due to a unhandled space in url:

    E: Impossible de récupérer https://freefr.dl.sourceforge.net/project/corefonts/the fonts/final/andale32.exe 404 Not Found

Because package tries to download: https://freefr.dl.sourceforge.net/project/corefonts/the that doesn't exists. Maybe a simple double quote could solve this.

Daniel Richard G. (skunk) wrote :

Benjamin, what you're seeing appears to be bug #1607535. (That bug report doesn't quote the "/the fonts/" URL directly, but it links to a comment that does.

I have a bug report (bug #1575408) against ttf-mscorefonts-installer due to the "Can't drop privileges" warning, but am assuming that that was a specific instance of the more general bug described here, and so have marked my bug as a duplicate of this one.

Lorenzo (nakis) on 2016-12-19
Changed in msttcorefonts (Ubuntu):
status: New → Invalid
no longer affects: msttcorefonts (Ubuntu)
Changed in apt (Debian):
status: New → Fix Committed
dino99 (9d9) wrote :

From the Debian commit: https://anonscm.debian.org/cgit/apt/apt.git/diff/?id=78db351 which is supposed to be a reworded less scary message:

- _error->WarningE("pkgAcquire::Run", _("Can't drop privileges for downloading as file '%s' couldn't be accessed by user '%s'."),
+ _error->WarningE("pkgAcquire::Run", _("Download is performed unsandboxed as root as file '%s' couldn't be accessed by user '%s'.")

For the non techies (says the huge majority of Ubuntu(s) users), that new reworded message is as scary as the first one !!!
David (maintener) should completly silence that warning for the common users, and consider it only as an internal/debugging warning.

From: David Kalnischkies <email address hidden>
To: <email address hidden>
Subject: Bug#813786 in apt marked as pending
Date: Sat, 31 Dec 2016 17:57:02 +0000

dino99 (9d9) on 2017-01-02
summary: - Can't drop privileges for downloading : _apt user not allowed
+ Needless scary warning: Can't drop privileges for downloading : _apt
+ user not allowed
Changed in apt (Debian):
status: Fix Committed → Fix Released

This bug was fixed in the package apt - 1.4~beta3

---------------
apt (1.4~beta3) unstable; urgency=medium

  [ Lukasz Kawczynski ]
  * Honour Acquire::ForceIPv4/6 in the https transport

  [ David Kalnischkies ]
  * reword "Can't drop priv" warning message (Closes: #813786) (LP: #1522675)
  * let {dsc,tar,diff}-only implicitly enable download-only
  * remove needless fork() in apt-get source
  * default to --no-check for dpkg-source call (Closes: 724744)
  * warn if clearsigned file has ignored content parts
  * ensure generation of valid EDSP error stanzas
  * add --indep-only for build-dep command (Closes: #845775)
  * allow default build-essentials to be overridden
  * expand -f to --fix-broken in error messages.
    Thanks to Kristian Glass for initial patch! (Closes: #709092)
  * separating state variables regarding server/request (Closes: #440057)
  * fix minimum pkgs option for dpkg --recursive usage
  * allow warning generation for non-whitelisted options

  [ Oriol Debian ]
  * Catalan program translation update (Closes: #846514)

  [ Frans Spiesschaert ]
  * Dutch manpages translation update (Closes: #849235)

  [ Niels Thykier ]
  * ParseDepends: Support passing the desired architecture (Closes: #845969)

 -- Julian Andres Klode <email address hidden> Thu, 05 Jan 2017 20:50:01 +0100

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
dino99 (9d9) on 2017-01-07
Changed in apt (Ubuntu):
status: Fix Released → New
summary: - Needless scary warning: Can't drop privileges for downloading : _apt
+ Needless scary warning: Download is performed unsandboxed as root: _apt
user not allowed
no longer affects: dpkg (Ubuntu)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Julian Andres Klode (juliank) wrote :

The message won't be removed. It's worded as good as it can be now.

Maintainer scripts using apt-helper to download stuff (or clients using libapt-pkg) should be fixed to use proper permissions on the directories so the _apt user can write files (best create a temporary directory I'd say owned by _apt, download to that).

For interactive use, the message appears in a very limited set of circumstances. Namely, "download" and "source" run as root (maybe "changelog", depending on your tmpfs setup, not sure). Running these commands as root does not make that much sense anyway, especially source.

So if users can reproduce this with a specific package that uses our tools, please add a task for that tool. From the apt side, this is working as intended.

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
summary: - Needless scary warning: Download is performed unsandboxed as root: _apt
- user not allowed
+ Warning messages about unsandboxed downloads
Julian Andres Klode (juliank) wrote :

From what I gathered, msttcorefonts and flashplugin-nonfree (flashplugin-installer) are affected by this, hence adding tasks for them.

Jeremy Bicha (jbicha) wrote :

Julian, I see this warning every time I run

sudo apt install ./example.deb

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Steve Langasek (vorlon) wrote :

 >From what I gathered, msttcorefonts and flashplugin-nonfree
> (flashplugin-installer) are affected by this, hence adding tasks for
> them.

These packages invoke update-notifier for the downloading; reassigning.

I don't see what value this sandbox user is providing, however, and why apt needs to be so noisy about it. Is this about not running the network client code as root? Clearly, anything downloaded is going to be handled as root once it's there.

Changed in update-notifier (Ubuntu):
status: New → Confirmed
Steve Langasek (vorlon) on 2017-01-07
affects: flashplugin-nonfree (Ubuntu) → update-notifier (Ubuntu)
no longer affects: msttcorefonts (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in update-notifier (Ubuntu):
status: New → Confirmed
Julian Andres Klode (juliank) wrote :

Steve: Yes, the sandbox user exists to protect people from bugs in our http protocol handler, ssl libraries, compressors, etc.

Now, why do we have to write a line about that (I'd not call that noisy): First of all, we want scripts/programs using apt to also use sandboxed downloading. Without a warning, they would not know about it. Optimally, they'd download files to a temporary name, verify checksums, and only then rename to the final location.

Second: It also protects against permission issues elsewhere.

I hope that we can one day create the files as the normal user, and simply pass an open file descriptor to the workers, that would get rid of permission issues entirely. But that's not very likely to happen in a reasonable future, as sending file descriptors only works via unix sockets and some other fancy stuff we don't use for worker communication.

Changed in update-notifier (Ubuntu):
importance: Undecided → Medium
Jeremy Bicha (jbicha) on 2017-01-12
no longer affects: update-notifier (Ubuntu Xenial)
no longer affects: apt (Ubuntu Xenial)
Norbert (nrbrtx) wrote :

Got this bug on Xenial which was updated from Precise.

daniel CURTIS (anoda) wrote :

Hello. During flash player update (on 10., May) I have had this error/message:

✓ W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20170509.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

It was on a fresh 16.04 LTS Release install. It seems, that there is an 'apt' (ver. 1.2.20) user (vide '/etc/passwd' file.) But, it seems that '/var/lib/update-notifier/package-data-downloads/' folder have bad permission, however:

[~]$ ls -la /var/lib/update-notifier/package-data-downloads/
[...]
drwxr-xr-x 2 root root [...] partial

Should I do something about this? I mean, for example, use CHOWN(1) command to change an owner etc.?

Thank, best regards.

Travisgevans (travisgevans) wrote :

^ Setting the owner of the /var/lib/update-notifier/package-data-downloads/partial directory to “_apt” on my 16.04 box is what I did to get rid of the error. I believe I've occasionally run into a few similar messages about other APT “partial” directories scattered around in /var, too; in those cases, the solution was the same.

Download full text (3.6 KiB)

Is the command "CHOWN" or "CHOWN(1)" ?
Thank you, for the info on this particular error as I had fond that the
chown command was some how to be used,

Probably off topic here, but it would be a great help if you could answer.
I've been puzzled by the (1)? My attempt at finding --h help or invoking
the command using "chown(1)" always returned the "unexpected argument "(""
error. I haven't quite figured out (1)'s meaning or necessity.

Being new to Linux and Unix and a Mister Literal has left me wondering if
(1) or (2) is not part of the command, why is it there?

If that info has been lost in the Unix Halls of Time that's OK. As I
remember from my 8-bit days ( was a reserved character in the DOS world,
Same set in the Unix world?

As a wise instructor friend of mine said "Common sense is only what has
been commonly taught." I keep finding I missed that class at some point.

On Tue, May 16, 2017 at 3:09 PM, Travisgevans <email address hidden>
wrote:

> ^ Setting the owner of the /var/lib/update-notifier/package-data-
> downloads/partial directory to “_apt” on my 16.04 box is what I did to
> get rid of the error. I believe I've occasionally run into a few
> similar messages about other APT “partial” directories scattered around
> in /var, too; in those cases, the solution was the same.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1522675
>
> Title:
> Warning messages about unsandboxed downloads
>
> Status in apt package in Ubuntu:
> Fix Released
> Status in update-notifier package in Ubuntu:
> Confirmed
> Status in apt package in Debian:
> Fix Released
> Status in synaptic package in Debian:
> New
>
> Bug description:
> Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but
> now get that error when installing/upgrading some packages:
>
> Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
> Processing triggers for libc-bin (2.21-0ubuntu5) ...
> W: Can't drop privileges for downloading as file
> '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. -
> pkgAcquire::Run (13: Permission denied)
>
> From nautilus, i'm seeing a /root/ folder locked (x on its icon) and
> the folder is empty (no /.synaptic/ sub-folder or file), so the above
> error.
>
> oem@u64:~$ ls -l .synaptic
> total 4
> -rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
> -rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf
>
> oem@u64:~$ ls -l /var/lib/apt/lists/
> ....
> -rw-r----- 1 root root 0 Sep 20 06:36 lock
> drwx------ 2 _apt root 16384 Sep 24 15:25 partial
> ......
>
> oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
> .....
> drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: synaptic 0.82+build1
> ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
> Uname: Linux 4.3.0-1-generic x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.19.2-0ubuntu8
> Architecture: amd64
> CurrentDesktop: GNOME
> Date: Fri Dec 4 05:23:25 2015
> SourcePackage: synaptic
> UpgradeStatus: No upgrade log present (prob...

Read more...

Travisgevans (travisgevans) wrote :

The command is lowercase “chown”, without the “(1)”. The general syntax would be “chown <user name> <file or directory>”. You'll normally need superuser privileges to change owners on system files and directories, activated by adding the command “sudo” before the “chown” (separated by a space).

The “(1)” refers to which section in the manual pages, or “manpages”, the command is described in. A common way to get help on a command is to run “man <command_name>”; for instance, you can execute “man chown” to get the manpage on the chown command. (To exit, type the letter q; more info here: https://help.ubuntu.com/community/man) The manual pages are divided into numbered sections by categories. Occasionally, there is more than one manpage with the same name, and the section number has to be included in the “man” command to indicate which is desired (for instance, “man 1 printf” gives the page on the shell command “printf”, but “man 3 printf” gives the page on the “printf” library call for C programming).

You can get a manpage on “man” itself with “man man” (or just read it online here: http://manpages.ubuntu.com/manpages/xenial/man1/man.1.html). Under “DESCRIPTION”, there's a list of the manpage sections and their numbers, if you're curious.

Daniel Richard G. (skunk) wrote :

Hi Luigi,

This StackExchange posting should answer your question:

https://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean

Download full text (3.8 KiB)

Ok, Thanks. Will definitely copy this into my personal command reference.
This will help solve a bunch of headaches until I can get Samba's teeth
un-clamped from my leg. Thanks again.

On Wed, May 17, 2017 at 7:57 PM, Travisgevans <email address hidden>
wrote:

> The command is lowercase “chown”, without the “(1)”. The general syntax
> would be “chown <user name> <file or directory>”. You'll normally need
> superuser privileges to change owners on system files and directories,
> activated by adding the command “sudo” before the “chown” (separated by
> a space).
>
> The “(1)” refers to which section in the manual pages, or “manpages”,
> the command is described in. A common way to get help on a command is to
> run “man <command_name>”; for instance, you can execute “man chown” to
> get the manpage on the chown command. (To exit, type the letter q; more
> info here: https://help.ubuntu.com/community/man) The manual pages are
> divided into numbered sections by categories. Occasionally, there is
> more than one manpage with the same name, and the section number has to
> be included in the “man” command to indicate which is desired (for
> instance, “man 1 printf” gives the page on the shell command “printf”,
> but “man 3 printf” gives the page on the “printf” library call for C
> programming).
>
> You can get a manpage on “man” itself with “man man” (or just read it
> online here:
> http://manpages.ubuntu.com/manpages/xenial/man1/man.1.html). Under
> “DESCRIPTION”, there's a list of the manpage sections and their numbers,
> if you're curious.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1522675
>
> Title:
> Warning messages about unsandboxed downloads
>
> Status in apt package in Ubuntu:
> Fix Released
> Status in update-notifier package in Ubuntu:
> Confirmed
> Status in apt package in Debian:
> Fix Released
> Status in synaptic package in Debian:
> New
>
> Bug description:
> Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but
> now get that error when installing/upgrading some packages:
>
> Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
> Processing triggers for libc-bin (2.21-0ubuntu5) ...
> W: Can't drop privileges for downloading as file
> '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. -
> pkgAcquire::Run (13: Permission denied)
>
> From nautilus, i'm seeing a /root/ folder locked (x on its icon) and
> the folder is empty (no /.synaptic/ sub-folder or file), so the above
> error.
>
> oem@u64:~$ ls -l .synaptic
> total 4
> -rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
> -rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf
>
> oem@u64:~$ ls -l /var/lib/apt/lists/
> ....
> -rw-r----- 1 root root 0 Sep 20 06:36 lock
> drwx------ 2 _apt root 16384 Sep 24 15:25 partial
> ......
>
> oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
> .....
> drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: synaptic 0.82+build1
> ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
> Uname:...

Read more...

Thanks, looks like it answers questions I have not encountered yet as
well. So many sites out there, and I had not discovered this one yet.
Thanks for taking the time.

On Wed, May 17, 2017 at 7:57 PM, Daniel Richard G. <email address hidden> wrote:

> Hi Luigi,
>
> This StackExchange posting should answer your question:
>
> https://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a
> -man-page-mean
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1522675
>
> Title:
> Warning messages about unsandboxed downloads
>
> Status in apt package in Ubuntu:
> Fix Released
> Status in update-notifier package in Ubuntu:
> Confirmed
> Status in apt package in Debian:
> Fix Released
> Status in synaptic package in Debian:
> New
>
> Bug description:
> Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but
> now get that error when installing/upgrading some packages:
>
> Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
> Processing triggers for libc-bin (2.21-0ubuntu5) ...
> W: Can't drop privileges for downloading as file
> '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. -
> pkgAcquire::Run (13: Permission denied)
>
> From nautilus, i'm seeing a /root/ folder locked (x on its icon) and
> the folder is empty (no /.synaptic/ sub-folder or file), so the above
> error.
>
> oem@u64:~$ ls -l .synaptic
> total 4
> -rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
> -rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf
>
> oem@u64:~$ ls -l /var/lib/apt/lists/
> ....
> -rw-r----- 1 root root 0 Sep 20 06:36 lock
> drwx------ 2 _apt root 16384 Sep 24 15:25 partial
> ......
>
> oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
> .....
> drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: synaptic 0.82+build1
> ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
> Uname: Linux 4.3.0-1-generic x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.19.2-0ubuntu8
> Architecture: amd64
> CurrentDesktop: GNOME
> Date: Fri Dec 4 05:23:25 2015
> SourcePackage: synaptic
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1522675/+subscriptions
>

--
 _-_-_
|BricK|
  [image: 🤓]
L P Luigi Espenlaub
<email address hidden>
"Kuiper Belted" [A Non fantasy science fiction mystery set 150 years in the
future.]
"A stone cold mystery in space." - Woody Carsky-Wilson, ED: A Few Good
Words, a Cincinnati Writers Project Anthology available on Amazon.

daniel CURTIS (anoda) wrote :

Hello. I'm sorry Luigi Espenlaub. I should write "chown" in my post. Or at least mention, that it's just reference to the man pages etc. Sorry once again. I'm very glad, that You understand it now :- )

Best regards.

I am using Lubuntu 17.04, and when using Synaptic, I get the "...unsandboxed..." message after a completed download. One message per download. (Why only one? The package I just downloaded for testing purposes pulled in six or eight other packages, but only the last was shown in the message.)

The message occurs in an error window: a large triangle with an exclamation markis shown, with the large text "An error occurred", then (smaller) "The following details are provided:"
So to the user, it does not LOOK like a one-line minor warning...
Synaptic does not refresh the package listing until after dismissing the window.

I now provide 3 examples of the detail provided:

W: Download is performed unsandboxed as root as file '/var/cache/apt/archives/partial/libreoffice-style-galaxy_1%3a5.3.1-0ubuntu2_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

W: Download is performed unsandboxed as root as file '/var/cache/apt/archives/partial/gstreamer1.0-pulseaudio_1.10.4-1ubuntu1_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

W: Download is performed unsandboxed as root as file '/var/cache/apt/archives/partial/speedtest-cli_1.0.0-1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

/var/cache/apt/archives/partial and
/var/lib/update-notifier/package-data-downloads/partial
both have Owner (Create and delete files) and Group (Access files) owned by Root.

/etc/passwd contains a line:
_apt:x:105:65534::/nonexistent:/bin/false
...so the user does exist, but is not assigned to the two directories

comment #43 says that apparently I should do a:
sudo chown _apt <...each of the two above directories...>

Should I?

How/when are these directories created in the first place?

Surely whatever created them should have set them up with _apt as owner...?

I don't think I have received this message from update-notifier, but am not sure...

--------------------------------------------------
scott@scott-ASUS-M2N68-AMPLUS:~$ uname -a
Linux scott-ASUS-M2N68-AMPLUS 4.10.0-21-generic #23-Ubuntu SMP Fri Apr 28 16:14:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
scott@scott-ASUS-M2N68-AMPLUS:~$ lsb_release -dsc
Ubuntu 17.04
zesty
scott@scott-ASUS-M2N68-AMPLUS:~$ echo $DESKTOP_SESSION
Lubuntu

scott@scott-ASUS-M2N68-AMPLUS:~$ apt --version
apt 1.4 (amd64)

Synaptic version 0.84.2
update-notifier version 3.179

dino99 (9d9) on 2017-06-04
Changed in synaptic (Debian):
importance: Unknown → Undecided
status: New → Invalid
Changed in update-notifier (Ubuntu):
status: Confirmed → Incomplete
no longer affects: apt (Ubuntu)
Julian Andres Klode (juliank) wrote :

OK, I guess I fixed up dino99's unwarranted changes (what was that) again and also cleaned up the synaptic situation.

Changed in apt (Ubuntu):
status: New → Fix Released
importance: Undecided → Low
Changed in update-notifier (Ubuntu):
status: Incomplete → Triaged
affects: synaptic (Debian) → synaptic (Ubuntu)
Changed in synaptic (Ubuntu):
status: Invalid → Confirmed
importance: Undecided → Medium
status: Confirmed → Triaged
Julian Andres Klode (juliank) wrote :

OK, I take it back, the synaptic (Debian) removal was OK, the bug does not describe the syOK, thnaptic specific issue at all. But that could have been explained in a comment, instead of just silently removing stuff (and the other changes were wrong).

no longer affects: synaptic (Debian)
Fredrik Wendt (fredrik-wendt) wrote :

The same (or very similar) privilege issue comes into play when downloading sources _as root_ under /root, such as with the command 'apt-get source linux-image-extra-4.10.0-19-generic'.

Julian Andres Klode (juliank) wrote :

I'm not sure why you are highlighting "_as root_" - of course as root, it only happens as root, otherwise there is no way to drop privileges in the first place (and not a huge problem of not dropping privileges - you can only screw up your own stuff).

Norbert (nrbrtx) wrote :

Got in Synaptic:
"W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)"

Newbies can be frightened of such behavior of Ubuntu.
Do you plan to fix this bug?
It is not user-friendly. You should fix this bug as soon as possible.

Sometimes synaptic fails with W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Keine Berechtigung)

At this moment I deleted configs from removed packages.

Linux Mint 18.1, which is basedon Ubuntu 16.04

(Kernel 4.8)

David Favor (davidfavor) wrote :

This bug has been hanging round for over a year now.

While packages seem to install when this diagnostic emits, users always have questions about this.

Be great if someone could fix this.

Fresh install of 16.04.2, with latest updates.

# apt-get install wine

ttf-mscorefonts-installer: processing...
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/andale32.exe
Get:1 http://downloads.sourceforge.net/corefonts/andale32.exe [198 kB]
Fetched 198 kB in 11s (16.8 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
...
Similar messages for 10 more .exe files.

Result is the user has no idea whether Wine has been fully installed correctly or not.

/etc/passwd includes the line
_apt:x:105:65534::/nonexistent:/bin/false

# ll /var/lib/update-notifier/package-data-downloads/partial/
total 8
drwxr-xr-x 2 root root 4096 Jun 26 14:41 ./
drwxr-xr-x 3 root root 4096 Jun 26 14:41 ../

Norbert (nrbrtx) wrote :

Got
"W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)"
on Xenial.

Do you plan to fix this?

Norbert (nrbrtx) wrote :
Download full text (5.7 KiB)

Since upgrade to xenial I have these 24 error messages in logs

$ sudo grep -r _apt /var/log/* | sort | uniq | grep drop
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20170411.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arial32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arialb32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/comic32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/courie32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/georgi32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/impact32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/times32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/trebuc32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/verdan32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/apt-term.log:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/webdin32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
/var/log/dist-upgrade/screenlog.0:W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20170411.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Perm...

Read more...

Ads20000 (ads20000) wrote :

Norbert and David, those sort of messages just clutter up people's inboxes and annoy the people who get the messages, if you want to help get this bug fixed faster you should probably work out what the issue is by reading the rest of comments on this bug ticket and then contacting people direct with your preferred solution or implement it yourselves. Saying 'it's so bad this bug hasn't been fixed, ugh, someone really should fix this!' does not help.

Norbert (nrbrtx) wrote :

I removed warning messages by setting APT::Sandbox::User to "root" with

cat <<EOF | sudo tee /etc/apt/apt.conf.d/99z-anti-drop
APT::Sandbox::User "root";

EOF

I do not know is it secure or not. But it works as expected!

Watch out, most of the time, it is a security hole, to run something as root.
Privilege escalation is not something funny.

Julian Andres Klode (juliank) wrote :

Just live with the warnings until somebody fixes them. Or give _apt rwx access to /var/lib/update-notifier/package-data-downloads/partial, that's safe. It's not like you get hundreds of them each day.

"It's not like you get hundreds of them each day."

True. But even one such message puzzles and worries users. 360 users have marked this bug, but imagine how many thousands don't even know to look on Launchpad?

This report was filed 18 months ago. I don't doubt it's hard to fix it for systems that have been upgraded. But this affects a fresh install of 16.04.2. Is it hard to make _apt the owner of .../package-data-downloads/partial/ when Ubuntu is freshly installed?

I'm sure some of us reporting this bug come across as whiners, part of the problem, not part of the solution. Chippendale didn't send out furniture with splinters, he was passionate about quality. We're passionate about Linux. That's why we go to the trouble of reporting bugs.

Julian Andres Klode (juliank) wrote :

I don't think it's hard to fix at all, the directory just needs to be owned by _apt instead of root. But if everyone just complains and does not put any work into it, nothing gets done. There's more important stuff going on.

Norbert (nrbrtx) wrote :

@nc-duenkekl3
>Watch out, most of the time, it is a security hole, to run something as root.
>Privilege escalation is not something funny.
APT was executed as root for years, is not it?
Moreover root user is used as fallback or something (see https://git.launchpad.net/~usd-import-team/ubuntu/+source/apt/tree/apt-
pkg/acquire.cc?h=ubuntu/xenial-updates#n593 ). I'm not an author of this code.

Can you or maintainers suggest better solution?

Without sandboxing I get the following process tree (in htop):
USER COMMAND
root apt-get install ...
root dpkg ...
root sh ... postinst
root python3 .../package-data-downloader
root apt-helper download-file ...
root http

So 6 processes are run by root user.

With sandboxing I get the following process tree:
USER COMMAND
root apt-get install ...
root dpkg ...
root sh ... postinst
root python3 .../package-data-downloader
root apt-helper download-file ...
_apt (*) http

So only http (1/6) is called by _apt user. Is it really safer?
apt-get, dpkg, sh, python3, apt-helper may be vulnerable too (5/6 likelihood).
Http process download file, not execute it.
Downloadable file (/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20170616.1.orig.tar.gz for example) has executable bit disabled for all users ("-rw-r--r-- 1 root root" or "-rw-r--r-- 1 _apt nogroup").
As far I can understand its contents will be checked by hash before installing.

Aptitude is affected too. And bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806595 was fixed in it.
Bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813786 in apt was fixed too.

So I think that we need SRU for apt and aptitude.

Changed in aptitude (Debian):
status: Unknown → Fix Released
Julian Andres Klode (juliank) wrote :

I think we should fix this, but an SRU for this seems a bit too much. There's more important stuff pending since months.

Changed in update-notifier (Ubuntu):
assignee: nobody → Julian Andres Klode (juliank)
Changed in aptitude (Ubuntu):
status: New → Fix Released
Julian Andres Klode (juliank) wrote :

Uploaded update-notifier 3.181 to fix this

https://launchpad.net/ubuntu/+source/update-notifier/3.181

Changed in update-notifier (Ubuntu):
status: Triaged → Fix Committed
Changed in synaptic (Debian):
status: Unknown → New
Ads20000 (ads20000) wrote :

Julian we could just add it to the pile anyway? Happy to look up what work needs doing to sort that out and do the bits I can (I'm not a developer, but I know the bug description would need to be rewritten and I could give that a shot?)

Julian Andres Klode (juliank) wrote :

I'll SRU update-notifier next week I think. Yes, we need a concrete bug description as described in
https://wiki.ubuntu.com/StableReleaseUpdates

It should be easy to review anyway, but I want it to spend some time in artful first.

Synaptic also needs fixing, not sure about that.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-notifier - 3.181

---------------
update-notifier (3.181) artful; urgency=medium

  * Fix APT sandboxing for data downloads failing (LP: #1522675)

 -- Julian Andres Klode <email address hidden> Wed, 28 Jun 2017 22:25:25 +0200

Changed in update-notifier (Ubuntu):
status: Fix Committed → Fix Released
Ads20000 (ads20000) wrote :

(sighs) I don't think I really understand this bug well enough to put it in the right format. Norbert and anyone else who really wants this fixed in Ubuntu that's not 17.10 please can you do that? Check '3.1. SRU Bug Template' on the link Julian gave and then edit the bug with the relevant details. Thank you! :D

W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Keine Berechtigung)

Ubuntu Mate x64 17.04
Synaptic 0.84.2

I only want to install the updates and autoremove unessecary packages.....

Ads20000 (ads20000) wrote :

Martin, if you want to get this bug fixed please click on the link Julian gave in #89 and rewrite the bug so it can be fixed in Ubuntu 16.04 and 17.04. It won't be fixed until that happens (and, ideally, would be good if you could check it's working in 17.10, where it's already been patched, as well). We know it's a problem but someone needs to do the work to get it fixed (I don't feel able to sorry).

If https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template is the right one:

[Impact]

Updating packets via synaptic.
Befor they start OR after fonoshing the installing, the errir appears.

"W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Keine Berechtigung)"

Ubuntu Mate x64 17.04
Synaptic 0.84.2

[Test Case]

Start synaptic.
Update the repositorys.
Go into the updates section.
Double click on every package, which can be updated.
Click on "apply" to install the updates.

[Regression Potential]

Don't know.

[Other Info]

Don't know

Julian Andres Klode (juliank) wrote :

Different issue, Martin, I only fixed the update-notifier task so far.

[Impact]
Cosmetic. Warnings when installing packages using update-notifier downloading stuff

[Test case]

Install flashplugin-installer with apt and check that the output does not contain a message like this:

W: Can't drop privileges for downloading as file '...' couldn't be accessed by user '_apt'

[Regression Potential]

It just chowns /var/lib/update-notifier/package-data-downloads/partial/ to _apt:root, there should not be any regression.

Oh, is there already a bug report, where I can add my comment?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.