[Touch-packages] [Bug 1668944] Re: The _apt user ignores group membership.

Wed, 01 Mar 2017 04:22:00 -0800 

The recommended way is "chown _apt:root FILE && chmod 400 FILE" at the moment. 
Ideally we wouldn't need the chown (or have it root:root), but that isn't very 
realistic to be implementable without rolling our own TLS stack in the process 
at the moment, so we have to make due with that for now.
Disabling the feature or making the file world readable does work as well, but 
totally defeats the point of courseā€¦

I don't see what the point of trying to us groups here is. Are you
trying to share the same certificate for multiple things? If so that's a
bad idea. You should have a certificate for each and every usecase (=
client), not a single one shared between multiple clients on the same
machine.

** Changed in: apt (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1668944

Title:
  The _apt user ignores group membership.

Status in apt package in Ubuntu:
  Invalid

Bug description:
  Actually I had the same problem described in 
http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
  I want to use client certificates with apt. But I don't want to make them 
world readable in order to make apt working. So I created a group 'ssl-cert' 
and changed the group ownership of the ssl cert files to match this group. I 
also added the _apt user to the ssl-cert group.

  Then I tried to open these files as user '_apt' in bash (su -s
  /bin/bash _apt) which works well.

  But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get 
the following error:
  * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading 
file.)
  * Closing connection 26

  So my guess is that apt somehow ignores the ssl-cert membership.

  Possible workarounds:
  - make ssl client cert world readable
  - change owner ssl client cert to _apt
  - change main group of _apt user from 'nogroup' to 'ssl-cert'
  - set APT::Sandbox::User "root"; in apt.conf.d

  Neither of them is pretty. 
  Maybe this is a wanted behavior, then just suggest how to fix the issue in 
nice way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to