[Bug 1668944] Re: The _apt user ignores group membership.

Tue Feb 25 17:25:44 UTC 2020

Dictating to people what their PKI policy should be is outside the scope
of apt. Apt must behave properly as per standard unix behaviour, with a
proper working user and a proper working group. Trying to dictate
directory permissions to people breaks automation, breaks orchestration,
and makes it really hard to convince people to do security properly.

Please fix this.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1668944

Title:
  The _apt user ignores group membership.

Status in apt package in Ubuntu:
  Invalid

Bug description:
  Actually I had the same problem described in http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
  I want to use client certificates with apt. But I don't want to make them world readable in order to make apt working. So I created a group 'ssl-cert' and changed the group ownership of the ssl cert files to match this group. I also added the _apt user to the ssl-cert group.

  Then I tried to open these files as user '_apt' in bash (su -s
  /bin/bash _apt) which works well.

  But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get the following error:
  * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading file.)
  * Closing connection 26

  So my guess is that apt somehow ignores the ssl-cert membership.

  Possible workarounds:
  - make ssl client cert world readable
  - change owner ssl client cert to _apt
  - change main group of _apt user from 'nogroup' to 'ssl-cert'
  - set APT::Sandbox::User "root"; in apt.conf.d

  Neither of them is pretty. 
  Maybe this is a wanted behavior, then just suggest how to fix the issue in nice way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions