[Bug 1668944] [NEW] The _apt user ignores group membership.

Reik Keutterling r.keutterling at telekom.de
Wed Mar 1 11:16:00 UTC 2017 

Public bug reported:

Actually I had the same problem described in http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
I want to use client certificates with apt. But I don't want to make them world readable in order to make apt working. So I created a group 'ssl-cert' and changed the group ownership of the ssl cert files to match this group. I also added the _apt user to the ssl-cert group.

Then I tried to open these files as user '_apt' in bash (su -s /bin/bash
_apt) which works well.

But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get the following error:
* error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading file.)
* Closing connection 26

So my guess is that apt somehow ignores the ssl-cert membership.

Possible workarounds:
- make ssl client cert world readable
- change owner ssl client cert to _apt
- change main group of _apt user from 'nogroup' to 'ssl-cert'
- set APT::Sandbox::User "root"; in apt.conf.d

Neither of them is pretty. 
Maybe this is a wanted behavior, then just suggest how to fix the issue in nice way.

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1668944

Title:
  The _apt user ignores group membership.

Status in apt package in Ubuntu:
  New

Bug description:
  Actually I had the same problem described in http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
  I want to use client certificates with apt. But I don't want to make them world readable in order to make apt working. So I created a group 'ssl-cert' and changed the group ownership of the ssl cert files to match this group. I also added the _apt user to the ssl-cert group.

  Then I tried to open these files as user '_apt' in bash (su -s
  /bin/bash _apt) which works well.

  But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get the following error:
  * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading file.)
  * Closing connection 26

  So my guess is that apt somehow ignores the ssl-cert membership.

  Possible workarounds:
  - make ssl client cert world readable
  - change owner ssl client cert to _apt
  - change main group of _apt user from 'nogroup' to 'ssl-cert'
  - set APT::Sandbox::User "root"; in apt.conf.d

  Neither of them is pretty. 
  Maybe this is a wanted behavior, then just suggest how to fix the issue in nice way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions

More information about the foundations-bugs mailing list