[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
This bug was fixed in the package ubuntu-advantage-tools - 14 --- ubuntu-advantage-tools (14) bionic; urgency=medium * New upstream release: - repositories are only added after credentials are verified (LP: #1730361) - Livepatch MOTD script (LP: #1710976) - better "status" command output formatting (LP: #1719034) - sources.list.d files no longer contain credentials. The "auth.conf" facility is used instead. (LP: #1700611) - enabled Livepatch support for Bionic 18.04 LTS -- Andreas HasenackTue, 06 Feb 2018 09:58:03 -0200 ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Reopening, let's use auth.conf ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Reopening, let's use auth.conf ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
I meant to add in #8 that this affects the addition of fips in the ubuntu-advantage on xenial in https://bugs.launchpad.net/ubuntu/+source /ubuntu-advantage-tools/+bug/1719671 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
This affects the fips addition too. Since we add an entry as well to /etc/apt/sources.list.d/ directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
filed bug on apt in ubuntu: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1701852 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Changed in: ubuntu-advantage-script Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Ah, if this blocks apt-cache from working generally, that's certainly a major disadvantage. I would argue that this is a bug in apt, but it doesn't make sense to proceed with this change unless/until the apt bug is fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Changed in: ubuntu-advantage-tools (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Also affects: ubuntu-advantage-script via https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Also affects: ubuntu-advantage-script via https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
There seems to be a difference in behavior in apt. Precise's apt-cache, for example, doesn't seem to care: ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list -rw--- 1 root root 200 Jun 7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list ubuntu@precise-esm:~$ apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu0.12.04 Version table: 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu5.12.04 Version table: 14.12-0ubuntu5.12.04 0 500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users: ubuntu@xenial-test:~$ apt-cache search juju E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied) E: The list of sources could not be read. ubuntu@xenial-test:~$ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
There seems to be a difference in behavior in apt. Precise's apt-cache, for example, doesn't seem to care: ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list -rw--- 1 root root 200 Jun 7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list ubuntu@precise-esm:~$ apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu0.12.04 Version table: 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client landscape-client: Installed: (none) Candidate: 14.12-0ubuntu5.12.04 Version table: 14.12-0ubuntu5.12.04 0 500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages 14.12-0ubuntu0.12.04 0 500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 12.04.3-0ubuntu1 0 500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users: ubuntu@xenial-test:~$ apt-cache search juju E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied) E: The list of sources could not be read. ubuntu@xenial-test:~$ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Hi Steve -- So far what I see as not working if the file is go-r when a regular u: 1) update-manager stacktraces 2) apt-cache policy (on xenial it bails early without printing anything) Options: a) we don't care about these things breaking, and file bugs against those projects? b) we make the /etc/apt/sources.list.d/*.list file g+r and chown it root:adm? Let me know what the desired behavior here is if you don't mind. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
In my opinion, it's still better to have the file not world-readable by default. I looked to add-apt-repository for precedent, and the only information I found was bug #399709 - however, add-apt-repository also doesn't truly have support for adding private ppas (you can pass it a full url with embedded credentials, but then it doesn't DTRT for gpg key imports). So I don't think this is a relevant precedent at all. ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
** Changed in: ubuntu-advantage-tools (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Making the file 0600 makes apt-cache complain about it when run by non- root users. Is that an issue worth having? $ apt policy asdf E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: Permission denied) E: The list of sources could not be read. (dropbox.list was just an example) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Making the file 0600 makes apt-cache complain about it when run by non- root users. Is that an issue worth having? $ apt policy asdf E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: Permission denied) E: The list of sources could not be read. (dropbox.list was just an example) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Filed upstream: https://github.com/CanonicalLtd/ubuntu-advantage- script/issues/22 ** Bug watch added: github.com/CanonicalLtd/ubuntu-advantage-script/issues #22 https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Filed upstream: https://github.com/CanonicalLtd/ubuntu-advantage- script/issues/22 ** Bug watch added: github.com/CanonicalLtd/ubuntu-advantage-script/issues #22 https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs