SO is full of these...
----------
CRYPTOANALYZER
----------
Sent from ProtonMail, encrypted email based in Switzerland.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 6 July 2020 г., 13:51, Zenaan Harkness <z...@freedbms.net> wrote:
> In case this is of interest.
>
> ----- Forwarded message from Zenaan Harkness zen...@freedbms.net -----
>
> From: Zenaan harknesszen...@freedbms.net
> To: debian-u...@lists.debian.org
> Date: Mon, 6 Jul 2020 20:49:52 +1000
> Subject: debmirror: apt update performed "unsandboxed"? ~=> file path not
> readable
>
> This was a question, but after some digging, answered itself (see near
> bottom), via a short recursive path analysis script showing that one path
> component of the path hierarchy failed to have world-readable perms (a dir in
> the middle), so in case it's useful for some:
>
> Local debmirror mirror, InRelease is out of date so setting
> Acquire::Check-Valid-Until=false but getting "unsandboxed" notice/warning:
>
> apt update -o Acquire::Check-Valid-Until=false
>
> ===============================================
>
> ------->> 20200706@20:16:10 <<-------
> Get:1 file:/public/debian/sid sid InRelease [146 kB]
> ...
> Ign:2 file:/public/debian/sid sid/main amd64 Packages
> Err:3 file:/public/debian/sid sid/main Translation-en
> File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No
> such file or directory)
> Get:4 file:/public/debian/sid sid/contrib amd64 Packages [70.1 kB]
> Reading package lists... Done
> N: Download is performed unsandboxed as root as file
> '/public/debian/sid/dists/sid/InRelease' couldn't be accessed by user '_apt'.
> - pkgAcquire::Run (13: Permission denied)
> E: Failed to fetch file:/public/debian/sid/dists/sid/main/i18n/Translation-en
> File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No
> such file or directory)
> E: Some index files failed to download. They have been ignored, or old ones
> used instead.
>
> Now when checking that file which is purpotedly causing the "unsandboxed"
> 'download', we get this:
>
> ll /public/debian/sid/dists/sid/InRelease
>
> ==========================================
>
> ------->> 20200706@20:19:22 <<-------
> 93K -rw-r--r-- 1 zenan zenan 143K 20200627 16:32.03
> /public/debian/sid/dists/sid/InRelease
>
> Clearly that file is readable by all users.. hmm.
>
> So let's analyze the full path:
>
> $ zfile /public/debian/sid/dists/sid/InRelease
> ------->> 20200706@20:25:42 <<-------
> ---- Analyzing "/public/debian/sid/dists/sid/InRelease"
> type: /home/zenan/bin/zfile: line 9: type:
> /public/debian/sid/dists/sid/InRelease: not found
> f: /public/debian/sid/dists/sid/InRelease
> Drwxr-xr-x root root /
> drwxr-xr-x root root public
> lrwxrwxrwx root root debian -> /Library/Lpools/zen/p1-setups_misc/repos/debian
> Drwxr-xr-x root root /
> drwxr-xr-x root zenan Library
> drwxr-xr-x root root Lpools
> drwxr-x--- zenan zenan zen
> Drwxr-xr-x zenan zenan p1-setups_misc
> Drwxr-xr-x zenan zenan repos
> drwxrwxr-x zenan zenan debian
> lrwxrwxrwx root root sid -> d00
> lrwxrwxrwx zenan zenan d00 -> d00-sid+tst+src-64
> drwxr-xr-x zenan zenan d00-sid+tst+src-64
> drwxrwxr-x zenan zenan dists
> drwxrwxr-x zenan zenan sid
> -rw-r--r-- zenan zenan InRelease
> -rw-r--r-- 1 zenan zenan 146310 Jun 27 16:32
> /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease
> /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease:
> ASCII text
> text/plain; charset=us-ascii
> {namei|readlink|/usr/bin/file} -f {file}...
>
> And we notice that /public/debian is a symlink and further down, this
> suspicious dir:
>
> drwxr-x--- zenan zenan zen
>
> Culprit identified! A quick chmod a+rx /Library/Lpools/zen and the show is
> back on the road.
>
> And the swanky recursive path analyzer (bash script):
> https://github.com/zenaan/quick-fixes-ftfw/blob/master/bin/zfile
>
> ----- End forwarded message -----
