[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

Andreas Hasenack andreas at canonical.com
Fri Jun 30 14:44:02 UTC 2017 

There seems to be a difference in behavior in apt. Precise's apt-cache,
for example, doesn't seem to care:

ubuntu at precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list 
-rw------- 1 root root 200 Jun  7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list

ubuntu at precise-esm:~$ apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu0.12.04
  Version table:
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ubuntu at precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu5.12.04
  Version table:
     14.12-0ubuntu5.12.04 0
        500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages


So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users:


ubuntu at xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu at xenial-test:~$

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

More information about the Ubuntu-server-bugs mailing list