Comment 12 for bug 1824000

I was having a similar issue after upgrading from 19.10 to 20.04.

My issue turned out to be the same as this bug: https://bugs.launchpad.net/ubuntu/+source/command-not-found/+bug/1827759

The default UMASK on my system is 0027 so when /var/lib/command-not-found/*.db.* was updated the permissions were set 0640. (I don't recall modifying /etc/login.defs but that's what's in there. Perhaps it's the new UMASK on 20.04?)

It turns out the CNF db files are updated every time you install a package via apt due to the post installation hook that runs /usr/lib/cnf-update-db located here: /etc/apt/apt.conf.d/50command-not-found.

I install most software via 'sudo apt install' so each time I ran that command the permissions on /var/lib/command-not-found/*.db got set 0640 because of UMASK 0027. I confirmed my sudo sessions had UMASK 0027 with "sudo /bin/bash -c 'umask'".

I've set a default POSIX ACL giving o+r-- on /var/lib/command-not-found and so far that seems to have fixed my issue.

Complete fix for me:
sudo setfacl --mask -m d:o::r-- /var/lib/command-not-found
sudo rm /var/lib/command-not-found/*.db.*
sudo /usr/lib/cnf-update-db --verbose

It would be better, though, if the cnf-update-db script explicitly set the permissions on the generated DB files to 0644 on update. At the moment the script does not appear to do that directly.