Public bug reported:
For several versions now, apt has introduced a system user named _apt.
When downloading files, it tries to switch to this user in order to
limit the attack surface; downloading files as root is quite simply
dangerous. If the user _apt cannot write to the target directory, then
apt remains root, does the download just fine, but prints an ominous
warning.
Package update-notifier has such a directory, used to handle package
data downloads (Flash, Microsoft Core Fonts, etc.). Currently, the
ominous warning is printed every time those files are downloaded using
command-line apt or aptitude. (Which in the case of Flash, is quite
often.)
Doing a chmod _apt /var/lib/update-notifier/package-data-
downloads/partial should solve the issue and improve security. However,
since the _apt user is created in postinst, it receives a different user
id on each system, so the chmod should be done in postinst.
Ubuntu release: 16.04
Source package: update-notifier
Package version: 3.168.5
** Affects: update-notifier (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727614
Title:
Directory package-data-downloads/partial should belong to user _apt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1727614/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
