There seems to be a difference in behavior in apt. Precise's apt-cache,
for example, doesn't seem to care:
ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list
-rw------- 1 root root 200 Jun 7 18:35
/etc/apt/sources.list.d/staging-ubuntu-esm-precise.list
ubuntu@precise-esm:~$ apt-cache policy landscape-client
landscape-client:
Installed: (none)
Candidate: 14.12-0ubuntu0.12.04
Version table:
14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64
Packages
100 /var/lib/dpkg/status
12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
Installed: (none)
Candidate: 14.12-0ubuntu5.12.04
Version table:
14.12-0ubuntu5.12.04 0
500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main
amd64 Packages
14.12-0ubuntu0.12.04 0
500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64
Packages
100 /var/lib/dpkg/status
12.04.3-0ubuntu1 0
500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
So I would be OK for this change on precise, and also trusty (just tested)
where it has the same behavior as precise. But from xenial onwards it breaks
apt-cache as a whole for non-root users:
ubuntu@xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list -
ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu@xenial-test:~$
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700611
Title:
sources.list file created for ESM is world-readable, leaks subscriber
token to all local users
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
