Changing away from 'nogroup' would be good, that's for NFS use (similar to 'nobody').
Using ACLs to grant the _apt user permission to work with specific files sounds good to me. Perhaps not all editors know to maintain those when writing new files with the same name, or perhaps know to fall back to non-atomic file update tools in order to maintain those... But it'd be ideal from apt's perspective, and easier than trying to manage supplementary groups in sandboxed processes. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1668944 Title: The _apt user ignores group membership. Status in apt package in Ubuntu: Invalid Bug description: Actually I had the same problem described in http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file I want to use client certificates with apt. But I don't want to make them world readable in order to make apt working. So I created a group 'ssl-cert' and changed the group ownership of the ssl cert files to match this group. I also added the _apt user to the ssl-cert group. Then I tried to open these files as user '_apt' in bash (su -s /bin/bash _apt) which works well. But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get the following error: * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading file.) * Closing connection 26 So my guess is that apt somehow ignores the ssl-cert membership. Possible workarounds: - make ssl client cert world readable - change owner ssl client cert to _apt - change main group of _apt user from 'nogroup' to 'ssl-cert' - set APT::Sandbox::User "root"; in apt.conf.d Neither of them is pretty. Maybe this is a wanted behavior, then just suggest how to fix the issue in nice way. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp