sources.list file created for ESM is world-readable, leaks subscriber token to all local users

Bug #1700611 reported by Steve Langasek on 2017-06-26
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-script
Fix Released
Unknown
ubuntu-advantage-tools (Ubuntu)
Undecided
Unassigned

Bug Description

The sources.list.d entry for esm is created with the default umask, which means that all local users on the system have access to the token. Being able to read globally-readable files on the filesystem does not necessarily mean you are an ESM subscriber who should have access to this token and be able to access the ESM archive.

We should probably create this file mode 0600. (Though it is too late to fix this for precise.)

Andreas Hasenack (ahasenack) wrote :

Making the file 0600 makes apt-cache complain about it when run by non-root users. Is that an issue worth having?

<ack> $ apt policy asdf
<ack> E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: Permission denied)
<ack> E: The list of sources could not be read.

(dropbox.list was just an example)

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Incomplete
Steve Langasek (vorlon) wrote :

In my opinion, it's still better to have the file not world-readable by default. I looked to add-apt-repository for precedent, and the only information I found was bug #399709 - however, add-apt-repository also doesn't truly have support for adding private ppas (you can pass it a full url with embedded credentials, but then it doesn't DTRT for gpg key imports). So I don't think this is a relevant precedent at all.

Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → New
David Britton (davidpbritton) wrote :

Hi Steve --

So far what I see as not working if the file is go-r when a regular u:

1) update-manager stacktraces
2) apt-cache policy (on xenial it bails early without printing anything)

Options:

a) we don't care about these things breaking, and file bugs against those projects?
b) we make the /etc/apt/sources.list.d/*.list file g+r and chown it root:adm?

Let me know what the desired behavior here is if you don't mind.

Andreas Hasenack (ahasenack) wrote :

There seems to be a difference in behavior in apt. Precise's apt-cache, for example, doesn't seem to care:

ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list
-rw------- 1 root root 200 Jun 7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list

ubuntu@precise-esm:~$ apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu0.12.04
  Version table:
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu5.12.04
  Version table:
     14.12-0ubuntu5.12.04 0
        500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users:

ubuntu@xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu@xenial-test:~$

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Incomplete
Steve Langasek (vorlon) wrote :

Ah, if this blocks apt-cache from working generally, that's certainly a major disadvantage. I would argue that this is a bug in apt, but it doesn't make sense to proceed with this change unless/until the apt bug is fixed.

Changed in ubuntu-advantage-script:
status: Unknown → Fix Released
Andreas Hasenack (ahasenack) wrote :

Reopening, let's use auth.conf

Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 14

---------------
ubuntu-advantage-tools (14) bionic; urgency=medium

  * New upstream release:
    - repositories are only added after credentials are verified
      (LP: #1730361)
    - Livepatch MOTD script (LP: #1710976)
    - better "status" command output formatting (LP: #1719034)
    - sources.list.d files no longer contain credentials. The "auth.conf"
      facility is used instead. (LP: #1700611)
    - enabled Livepatch support for Bionic 18.04 LTS

 -- Andreas Hasenack <email address hidden> Tue, 06 Feb 2018 09:58:03 -0200

Changed in ubuntu-advantage-tools (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.