[Bug 1304657] Re: world writable files in /var/lib/apt/lists

Jamie Strandboge jamie at ubuntu.com
Tue Apr 8 21:29:18 UTC 2014 

Ok, on a longtime trusty-amd64 livecd install, I confirmed that these files didn't exist. I updated to newest trusty (it was slightly out of date) and they still didn't exist. I then attached the iso to the VM, booted, had the VM mount in Unity, then did:
$ sudo apt-cdrom --cdrom '/media/jamie/Ubuntu 14.04 LTS amd64' --no-auto-detect --no-mount add
$ sudo apt-get update
$ ls -l /var/lib/apt/lists/ |grep 'rw-rw-rw'
-rw-rw-rw- 1 root root    29759 Apr  8 16:25 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 16:25 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-i386_Packages
-rw-rw-rw- 1 root root     1199 Apr  8 16:25 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-amd64_Packages
-rw-rw-rw- 1 root root        0 Apr  8 16:25 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-i386_Packages

I then commented out the entry in /etc/apt/sources.list, ran apt-get
update and the above files disappeared.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1304657

Title:
  world writable files in /var/lib/apt/lists

Status in “apt” package in Ubuntu:
  Triaged

Bug description:
  When performing installation audits, I noticed on the image from
  2014-04-07 the following after a livecd install:

  $ ls -l /var/lib/apt/lists|grep 'rw\-rw\-rw'
  -rw-rw-rw- 1 root root    29759 Apr  8 09:10 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-amd64_Packages
  -rw-rw-rw- 1 root root        0 Apr  8 09:10 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-i386_Packages
  -rw-rw-rw- 1 root root     1199 Apr  8 09:10 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-amd64_Packages
  -rw-rw-rw- 1 root root        0 Apr  8 09:10 Ubuntu%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-i386_Packages

  This also happens on the server install from the same date:
  $ ls -l /var/lib/apt/lists|grep 'rw\-rw\-rw'
  -rw-rw-rw- 1 root root  1702199 Apr  8 09:09 Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-amd64_Packages
  -rw-rw-rw- 1 root root        0 Apr  8 09:09 Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_main_binary-i386_Packages
  -rw-rw-rw- 1 root root        0 Apr  8 09:09 Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-amd64_Packages
  -rw-rw-rw- 1 root root        0 Apr  8 09:09 Ubuntu-Server%2014.04%20LTS%20%5fTrusty%20Tahr%5f%20-%20Daily%20amd64%20(20140407)_dists_trusty_restricted_binary-i386_Packages

  I installed the image from 2014-04-07, installed today and noticed the
  above.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1304657/+subscriptions

More information about the foundations-bugs mailing list