** Description changed:
[ Impact ]
- Users running `pro refresh` on a Noble machine will see a warning, saying
that user `_apt` does not have access to the apt-news json.
+ Users running `pro refresh` on a Noble (or later) machine will see a warning,
saying that user `_apt` does not have access to the apt-news json.
This does not affect functionality, but it is undesired for potential
security reasons.
This warning is fixed by putting the json on a separate folder, and then
giving permissions for `_apt` to write there.
[ Test Plan ]
- - Launch a Noble machine with u-a-t < 35
+ - Launch a Noble/Oracular/Plucky machine with u-a-t < 35
- run `sudo pro refresh` and see the warning there
- Upgrade to u-a-t v35
- run `sudo pro refresh` and see it works without a warning
then
- Verify no change has happened for other releases
[ Where problems could occur ]
We could run into problems by giving the `_apt` user permissions it
should not have. To mitigate, we have created a separate folder just for
this operation, and explicitly gave permissions using apparmor. We
consulted with the APT team and had a +1 for the changeset.
[ Original Description ]
I am not sure which package this relates to, but after a recent upgrade
from Ubuntu 22.04 to 24.04 LTS I have started seeing messages in syslog
like this:
17:29:03 python3[777789]:
/usr/lib/python3/dist-packages/uaclient/apt_news.py:207: Warning: W:Download is
performed unsandboxed as root as file '/run/ubuntu-advantage/aptnews.json'
couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
17:29:03 python3[777789]: acq.run()
It seems to me that user _apt lacks write permission for anything in
/run, hence the problem. I realise the script is getting round the
problem by running unsandboxed instead but this message is ugly.
What I have installed that might be related (I do not have
ubuntu-advantage-tools):
# dpkg-query --list|grep -E "^.i.*(news|-pro-|apt).*(amd64|all)"
ii apt 2.7.14build2
amd64 commandline package manager
ii apt-utils 2.7.14build2
amd64 package management related utility programs
ii libapt-pkg6.0t64:amd64 2.7.14build2
amd64 package management runtime library
ii motd-news-config 13ubuntu10
all Configuration for motd-news shipped in base-files
ii python-apt-common 2.7.7ubuntu1
all Python interface to libapt-pkg (locales)
ii python3-apt 2.7.7ubuntu1
amd64 Python 3 interface to libapt-pkg
ii ubuntu-pro-client 32.3~24.04
amd64 Management tools for Ubuntu Pro
ii ubuntu-pro-client-l10n 32.3~24.04
amd64 Translations for Ubuntu Pro Client
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2070095
Title:
apt_news.py download forced unsandboxed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2070095/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
