[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Launchpad Bug Tracker]

This bug was fixed in the package ubuntu-advantage-tools - 14

---
ubuntu-advantage-tools (14) bionic; urgency=medium

  * New upstream release:
- repositories are only added after credentials are verified
  (LP: #1730361)
- Livepatch MOTD script (LP: #1710976)
- better "status" command output formatting (LP: #1719034)
- sources.list.d files no longer contain credentials. The "auth.conf"
  facility is used instead. (LP: #1700611)
- enabled Livepatch support for Bionic 18.04 LTS

 -- Andreas Hasenack   Tue, 06 Feb 2018 09:58:03
-0200

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Reopening, let's use auth.conf

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: Incomplete => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Reopening, let's use auth.conf

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: Incomplete => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Joy Latten]

I meant to add in #8 that this affects the addition of fips in the
ubuntu-advantage on xenial in https://bugs.launchpad.net/ubuntu/+source
/ubuntu-advantage-tools/+bug/1719671

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Joy Latten]

This affects the fips addition too. Since we add an entry as well to
/etc/apt/sources.list.d/ directory.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[David Britton]

filed bug on apt in ubuntu:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1701852

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Bug Watch Updater]

** Changed in: ubuntu-advantage-script
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Steve Langasek]

Ah, if this blocks apt-cache from working generally, that's certainly a
major disadvantage.  I would argue that this is a bug in apt, but it
doesn't make sense to proceed with this change unless/until the apt bug
is fixed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[David Britton]

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

** Also affects: ubuntu-advantage-script via
   https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

** Also affects: ubuntu-advantage-script via
   https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

There seems to be a difference in behavior in apt. Precise's apt-cache,
for example, doesn't seem to care:

ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list 
-rw--- 1 root root 200 Jun  7 18:35 
/etc/apt/sources.list.d/staging-ubuntu-esm-precise.list

ubuntu@precise-esm:~$ apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu0.12.04
  Version table:
 14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
100 /var/lib/dpkg/status
 12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu5.12.04
  Version table:
 14.12-0ubuntu5.12.04 0
500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main 
amd64 Packages
 14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
100 /var/lib/dpkg/status
 12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages


So I would be OK for this change on precise, and also trusty (just tested) 
where it has the same behavior as precise. But from xenial onwards it breaks 
apt-cache as a whole for non-root users:


ubuntu@xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - 
ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu@xenial-test:~$

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

There seems to be a difference in behavior in apt. Precise's apt-cache,
for example, doesn't seem to care:

ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list 
-rw--- 1 root root 200 Jun  7 18:35 
/etc/apt/sources.list.d/staging-ubuntu-esm-precise.list

ubuntu@precise-esm:~$ apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu0.12.04
  Version table:
 14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
100 /var/lib/dpkg/status
 12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu5.12.04
  Version table:
 14.12-0ubuntu5.12.04 0
500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main 
amd64 Packages
 14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
100 /var/lib/dpkg/status
 12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages


So I would be OK for this change on precise, and also trusty (just tested) 
where it has the same behavior as precise. But from xenial onwards it breaks 
apt-cache as a whole for non-root users:


ubuntu@xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - 
ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu@xenial-test:~$

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[David Britton]

Hi Steve --

So far what I see as not working if the file is go-r when a regular u:

1) update-manager stacktraces
2) apt-cache policy (on xenial it bails early without printing anything)


Options:

a) we don't care about these things breaking, and file bugs against those 
projects?
b) we make the /etc/apt/sources.list.d/*.list file g+r and chown it root:adm?

Let me know what the desired behavior here is if you don't mind.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Steve Langasek]

In my opinion, it's still better to have the file not world-readable by
default.  I looked to add-apt-repository for precedent, and the only
information I found was bug #399709 - however, add-apt-repository also
doesn't truly have support for adding private ppas (you can pass it a
full url with embedded credentials, but then it doesn't DTRT for gpg key
imports).  So I don't think this is a relevant precedent at all.

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[David Britton]

** Changed in: ubuntu-advantage-tools (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Making the file 0600 makes apt-cache complain about it when run by non-
root users. Is that an issue worth having?

 $ apt policy asdf
 E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: 
Permission denied)
 E: The list of sources could not be read.

(dropbox.list was just an example)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Making the file 0600 makes apt-cache complain about it when run by non-
root users. Is that an issue worth having?

 $ apt policy asdf
 E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: 
Permission denied)
 E: The list of sources could not be read.

(dropbox.list was just an example)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Filed upstream: https://github.com/CanonicalLtd/ubuntu-advantage-
script/issues/22

** Bug watch added: github.com/CanonicalLtd/ubuntu-advantage-script/issues #22
   https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users

[Andreas Hasenack]

Filed upstream: https://github.com/CanonicalLtd/ubuntu-advantage-
script/issues/22

** Bug watch added: github.com/CanonicalLtd/ubuntu-advantage-script/issues #22
   https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1700611

Title:
  sources.list file created for ESM is world-readable, leaks subscriber
  token to all local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs