[Bug 1522675] Re: Warning messages about unsandboxed downloads
Norbert
1522675 at bugs.launchpad.net
Wed Jun 28 19:13:20 UTC 2017
@nc-duenkekl3
>Watch out, most of the time, it is a security hole, to run something as root.
>Privilege escalation is not something funny.
APT was executed as root for years, is not it?
Moreover root user is used as fallback or something (see https://git.launchpad.net/~usd-import-team/ubuntu/+source/apt/tree/apt-
pkg/acquire.cc?h=ubuntu/xenial-updates#n593 ). I'm not an author of this code.
Can you or maintainers suggest better solution?
Without sandboxing I get the following process tree (in htop):
USER COMMAND
root apt-get install ...
root dpkg ...
root sh ... postinst
root python3 .../package-data-downloader
root apt-helper download-file ...
root http
So 6 processes are run by root user.
With sandboxing I get the following process tree:
USER COMMAND
root apt-get install ...
root dpkg ...
root sh ... postinst
root python3 .../package-data-downloader
root apt-helper download-file ...
_apt (*) http
So only http (1/6) is called by _apt user. Is it really safer?
apt-get, dpkg, sh, python3, apt-helper may be vulnerable too (5/6 likelihood).
Http process download file, not execute it.
Downloadable file (/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20170616.1.orig.tar.gz for example) has executable bit disabled for all users ("-rw-r--r-- 1 root root" or "-rw-r--r-- 1 _apt nogroup").
As far I can understand its contents will be checked by hash before installing.
Aptitude is affected too. And bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806595 was fixed in it.
Bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813786 in apt was fixed too.
So I think that we need SRU for apt and aptitude.
** Also affects: synaptic (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808802
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptitude in Ubuntu.
https://bugs.launchpad.net/bugs/1522675
Title:
Warning messages about unsandboxed downloads
Status in apt package in Ubuntu:
Fix Released
Status in aptitude package in Ubuntu:
New
Status in synaptic package in Ubuntu:
Triaged
Status in update-notifier package in Ubuntu:
Triaged
Status in apt package in Debian:
Fix Released
Status in aptitude package in Debian:
Unknown
Status in synaptic package in Debian:
Unknown
Bug description:
Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but
now get that error when installing/upgrading some packages:
Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
Processing triggers for libc-bin (2.21-0ubuntu5) ...
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
From nautilus, i'm seeing a /root/ folder locked (x on its icon) and
the folder is empty (no /.synaptic/ sub-folder or file), so the above
error.
oem at u64:~$ ls -l .synaptic
total 4
-rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
-rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf
oem at u64:~$ ls -l /var/lib/apt/lists/
....
-rw-r----- 1 root root 0 Sep 20 06:36 lock
drwx------ 2 _apt root 16384 Sep 24 15:25 partial
......
oem at u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
.....
drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: synaptic 0.82+build1
ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
Uname: Linux 4.3.0-1-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.19.2-0ubuntu8
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Dec 4 05:23:25 2015
SourcePackage: synaptic
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1522675/+subscriptions
More information about the foundations-bugs
mailing list