[Bug 1727614] [NEW] Directory package-data-downloads/partial should belong to user _apt

Adrien Beau 1727614 at bugs.launchpad.net
Thu Oct 26 06:11:29 UTC 2017 

Public bug reported:

For several versions now, apt has introduced a system user named _apt.
When downloading files, it tries to switch to this user in order to
limit the attack surface; downloading files as root is quite simply
dangerous. If the user _apt cannot write to the target directory, then
apt remains root, does the download just fine, but prints an ominous
warning.

Package update-notifier has such a directory, used to handle package
data downloads (Flash, Microsoft Core Fonts, etc.). Currently, the
ominous warning is printed every time those files are downloaded using
command-line apt or aptitude. (Which in the case of Flash, is quite
often.)

Doing a chmod _apt /var/lib/update-notifier/package-data-
downloads/partial should solve the issue and improve security. However,
since the _apt user is created in postinst, it receives a different user
id on each system, so the chmod should be done in postinst.

Ubuntu release: 16.04
Source package: update-notifier
Package version: 3.168.5

** Affects: update-notifier (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1727614

Title:
  Directory package-data-downloads/partial should belong to user _apt

Status in update-notifier package in Ubuntu:
  New

Bug description:
  For several versions now, apt has introduced a system user named _apt.
  When downloading files, it tries to switch to this user in order to
  limit the attack surface; downloading files as root is quite simply
  dangerous. If the user _apt cannot write to the target directory, then
  apt remains root, does the download just fine, but prints an ominous
  warning.

  Package update-notifier has such a directory, used to handle package
  data downloads (Flash, Microsoft Core Fonts, etc.). Currently, the
  ominous warning is printed every time those files are downloaded using
  command-line apt or aptitude. (Which in the case of Flash, is quite
  often.)

  Doing a chmod _apt /var/lib/update-notifier/package-data-
  downloads/partial should solve the issue and improve security.
  However, since the _apt user is created in postinst, it receives a
  different user id on each system, so the chmod should be done in
  postinst.

  Ubuntu release: 16.04
  Source package: update-notifier
  Package version: 3.168.5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1727614/+subscriptions

More information about the foundations-bugs mailing list