Warning messages about unsandboxed downloads

Bug #1522675 reported by dino99
974
This bug affects 406 people
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Fix Released
Low
Unassigned
Hirsute
Fix Released
Low
Unassigned
aptitude (Debian)
Fix Released
Unknown
aptitude (Ubuntu)
Fix Released
Low
Unassigned
Xenial
Confirmed
Low
Unassigned
Hirsute
Fix Released
Low
Unassigned
synaptic (Debian)
New
Unknown
synaptic (Ubuntu)
Triaged
Low
Unassigned
Xenial
Confirmed
Low
Unassigned
Hirsute
Won't Fix
Low
Unassigned
update-notifier (Ubuntu)
Fix Released
Medium
Julian Andres Klode
Xenial
Fix Released
Medium
Julian Andres Klode
Hirsute
Fix Released
Medium
Julian Andres Klode

Bug Description

READ ME FIRST
=============
This is only a regression on a cosmetic level. Previous versions of apt did not have any sandboxing whatsoever, so this means apt reverted back to that old behavior.

update-notifier SRU
-------------------
[Impact]
Cosmetic. Warnings when installing packages using update-notifier downloading stuff

[Test case]

Install flashplugin-installer with apt and check that the output does not contain a message like this:

W: Can't drop privileges for downloading as file '...' couldn't be accessed by user '_apt'

[Regression Potential]

It just chowns /var/lib/update-notifier/package-data-downloads/partial/ to _apt:root, there should not be any regression.

Original report
---------------

Recently we got new versions for synaptic 0.82+build1 & apt 1.1.3, but now get that error when installing/upgrading some packages:

Setting up libc6-dbg:amd64 (2.21-0ubuntu5) ...
Processing triggers for libc-bin (2.21-0ubuntu5) ...
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

From nautilus, i'm seeing a /root/ folder locked (x on its icon) and the folder is empty (no /.synaptic/ sub-folder or file), so the above error.

oem@u64:~$ ls -l .synaptic
total 4
-rw-rw-r-- 1 oem oem 0 Aug 25 11:19 options
-rw-rw-r-- 1 oem oem 236 Aug 25 11:19 synaptic.conf

oem@u64:~$ ls -l /var/lib/apt/lists/
....
-rw-r----- 1 root root 0 Sep 20 06:36 lock
drwx------ 2 _apt root 16384 Sep 24 15:25 partial
......

oem@u64:~$ sudo ls -l /var/lib/update-notifier/package-data-downloads/
.....
drwxr-xr-x 2 _apt root 4096 Sep 22 23:33 partial

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: synaptic 0.82+build1
ProcVersionSignature: Ubuntu 4.3.0-1.10-generic 4.3.0
Uname: Linux 4.3.0-1-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.19.2-0ubuntu8
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Dec 4 05:23:25 2015
SourcePackage: synaptic
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
dino99 (9d9) wrote :
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in synaptic (Ubuntu):
status: New → Confirmed
Changed in synaptic (Ubuntu):
importance: Undecided → High
importance: High → Medium
Revision history for this message
Tsu Jan (tsujan2000) wrote :

On Debian I get messages like this when the download process is completed:

W: Can't drop privileges for downloading as file '/var/cache/apt/archives/partial/PACKAGE' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

However, after I close the dialog, I can update the packages. Of course PACKAGE isn't there after it's downloaded completely. Why Synaptic searches for it in that folder, I don't know.

Revision history for this message
dino99 (9d9) wrote :

synaptic 0.82.5 does not solve that issue

Revision history for this message
Tsu Jan (tsujan2000) wrote :

On Debian, this issue is fixed by apt-1.2, although another irrelevant message is shown now:

The method driver /usr/lib/apt/methods/https could not be found.

Revision history for this message
dino99 (9d9) wrote :

Thanks Tsu

so many changes recently with the apt package !!!
http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.2.1_changelog

Revision history for this message
Tsu Jan (tsujan2000) wrote :

I was wrong: the problem still persists with apt-1.2 :( It showed up again the second time I used Synaptic after the upgrade.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
importance: Undecided → Critical
Changed in synaptic (Ubuntu):
importance: Medium → Critical
Revision history for this message
Flames_in_Paradise (ellisistfroh-deactivatedaccount) wrote :

@ddino99: The link u provided seems to be broken, so look at this:
https://launchpad.net/ubuntu/xenial/+source/apt/+changelog

And , yes, thats impressive!

Revision history for this message
dino99 (9d9) wrote :

Debian have upgrade the package; so the link above is indeed dead. Hereis the full actual changelog (more complete than the launchpad changelog)
http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.2.3_changelog

Changed in synaptic (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Brian Murray (brian-murray) wrote :

I was unable to recreate this given the situation described:

 $ sudo mv /root/.synaptic /root/synaptic
[ 3:56PM 10261 ] [ bdmurray@impulse:~/Documents/gtd ]
 $ sudo apt-get install --reinstall libc-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.3.0-7 linux-headers-4.3.0-7-generic linux-image-4.3.0-7-generic linux-image-extra-4.3.0-7-generic linux-tools-4.3.0-7 linux-tools-4.3.0-7-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 207 not upgraded.
Need to get 0 B/1,172 kB of archives.
After this operation, 0 B of additional disk space will be used.
Sorry, your system lacks support for the snapshot feature
(Reading database ... 909633 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.21-0ubuntu5_amd64.deb ...
Unpacking libc-bin (2.21-0ubuntu5) over (2.21-0ubuntu5) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libc-bin (2.21-0ubuntu5) ...

Changed in apt (Ubuntu):
importance: Critical → Medium
Revision history for this message
dino99 (9d9) wrote :

@Brian

This is still happening on that fresh wily dist-upgraded to xenial, even with the latest apt 1.2.3 and gcc 5.3.1-1

Processing triggers for libc-bin (2.21-0ubuntu6) ...
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

The main issue sems to be that .root folder LOCKED, that disable to subfolder creation.

Is that locked .root folder expected ?

Revision history for this message
Tigerboy (tigersands) wrote :

W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

following what appears to be the successful install of package xicc 0.2-3

fully upgraded 16.04

Revision history for this message
Tigerboy (tigersands) wrote :

Additionally:
/root/.synaptic/tmp does exist and it is owned by root with permissions 0700

The /root/.synaptic/tmp folder is empty

Revision history for this message
Tigerboy (tigersands) wrote :

dpkg.log:

2016-02-27 23:23:37 install xicc:amd64 <none> 0.2-3
2016-02-27 23:23:37 status half-installed xicc:amd64 0.2-3
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 startup packages configure
2016-02-27 23:23:37 configure xicc:amd64 0.2-3 <none>
2016-02-27 23:23:37 status unpacked xicc:amd64 0.2-3
2016-02-27 23:23:37 status half-configured xicc:amd64 0.2-3
2016-02-27 23:23:37 status installed xicc:amd64 0.2-3
2016-02-27 23:23:38 startup packages configure

xicc shows as being fully installed & dpkg is fully operational.

Revision history for this message
Julian Andres Klode (juliank) wrote :

There is no bug in APT here. There is not even an error. It's a warning. In any case, this is synaptics fault, as that defines where to download the changelog instead of using APT's changelog code.

Changed in apt (Ubuntu):
status: Confirmed → Invalid
Changed in synaptic (Ubuntu):
status: Invalid → Triaged
importance: Critical → Low
Revision history for this message
Luis Ferro (luis-ferro) wrote :

Then i suppose that a new bug is entered into synaptics and linked to this bug so that users affected by this can see that it is being handled insted of "ignored" by a invalid / triaged status?

Just tested on the "release" version of xenial and it still happens.

Revision history for this message
Travisgevans (travisgevans) wrote :

For the Synaptic message complaining about /var/cache/apt/archives/partial, setting the owner of that directory to _apt seems to avoid it, based on my tests in a VirtualBox VM of Wily upgraded to Xenial.

I haven't (yet) encountered an error complaining about /root/.synaptic/[…]. It seems really bizarre that it would insist on some system user being able to access something in root's home directory.

dino99 (9d9)
summary: - /root/.synaptic/ not created
+ /root/.synaptic/ not created due to locking status
Revision history for this message
The Powerpuff Girls (thepowerpuffgirls) wrote : Re: /root/.synaptic/ not created due to locking status

I had this message a few times within the past few days of upgrading to Ubuntu 16.04, fresh, from Ubuntu 12.04.

I had this message about a half hour ago while installing apport.

- Blossom

Changed in synaptic (Ubuntu):
status: Triaged → Confirmed
Changed in synaptic (Debian):
status: Unknown → New
Revision history for this message
Travisgevans (travisgevans) wrote :

I just now found a very similar message from the update-notifier cronjob:

/etc/cron.daily/update-notifier-common:
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz [27.0 MB]
Fetched 27.0 MB in 1min 11s (378 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20160407.1.orig.tar.gz
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20160407.1.orig.tar.gz
Flash Plugin installed.

So, apparently not unique to Synaptic?

Revision history for this message
Brian Murray (brian-murray) wrote :

The update-notifier-common message is unrelated to this bug and is only a warning (notice the W:) and the flash plugin is still installed.

Revision history for this message
Gil Gamesh (gamesh-g) wrote :

It's correct that it's a warning, but it is presented as an error. I get a pop-up window that says "An error occurred".

I guess this is potentially a different bug as I see the same thing with a warning about a weak digest algorithm similarly being presented as an error.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

After exiting from Synaptic, is it expected for the file /var/cache/apt/archives/lock to be still there?

Revision history for this message
randolf (wolle321) wrote :

Have this problem too, since I updated from 15.10 to 16.04.
Synaptic is not running, but the lock -file is still there:

randolf@ART-LT16:~$ ps aux | grep synaptic
randolf 14314 0.0 0.0 15796 1024 pts/4 S+ 10:47 0:00 grep --color=auto synaptic
randolf@ART-LT16:~$ ll /var/cache/apt/archives/lock
-rw-r----- 1 root root 0 Okt 21 2015 /var/cache/apt/archives/lock

Hope this helps, randolf

Revision history for this message
Flames_in_Paradise (ellisistfroh-deactivatedaccount) wrote :

Is the system missing a user called _apt ?

Was it forgotten to create one?

Is this warning serious or can/should it be silenced?

Who corrupted my system? Can we still trust the system or should we just install another distro, which doesn't suffer such?

Looks in any case quite messy AND it's an upgrade-regression.

tags: added: upgrade-regression
tags: added: regression
removed: upgrade-regression
tags: added: regression-update
removed: regression
dino99 (9d9)
tags: added: yakkety
Revision history for this message
dino99 (9d9) wrote :

This also happen on Yakkety with synaptic, but only once after opening a session (gnome-shell 64 bits); After that first 'upgrade' that ends with this warning, the next upgrades, inside the opened session, do not warns. This has no sad effects on upgrading, so it could be silenced.

Revision history for this message
Kim Tucker (ktucker) wrote :

In case useful, I have just done a fresh install of Xenial, followed by 'sudo apt-get install synaptic'. The following error arose when trying to install blubuntu-theme and blubuntu-wallpapers
W: Can't drop privileges for downloading as file '/root/.synaptic/tmp//tmp_sh' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied).
After completely removing via synaptic, it installed fine with apt-get.

Revision history for this message
Bill Miller (wbmilleriii) wrote :

It's not just synaptic. Happens with aptitude as well. I suspect it's a new requirement for a user named '_apt' which doesn't exist (because it wasn't added).

Revision history for this message
Deleted (noone1) wrote :

Is there a fix for this yet? It's still happening on Ubuntu 16.04 with all updates as of 07/24/2016.

Revision history for this message
Tsu Jan (tsujan2000) wrote :

Cleaning up Firefox bookmarks, I encountered this report again. Apparently, apt developers don't want to see this as a bug, so don't wait for a fix! To get rid of that annoying message, you should have an `_apt` user (which probably you have) and change the owner of the folder in question from `root:root` to `_apt:root`.

I'm on Debian and the above trick worked here months ago.

Revision history for this message
feroz (ferozkhan27) wrote :

Yet, anyone find out any workaround for this?

Revision history for this message
feroz (ferozkhan27) wrote :

ended up using 15.10.

dino99 (9d9)
description: updated
description: updated
summary: - /root/.synaptic/ not created due to locking status
+ Can't drop privileges for downloading : _apt user not created
no longer affects: synaptic (Ubuntu)
no longer affects: apt (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Can't drop privileges for downloading : _apt user not created

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dpkg (Ubuntu):
status: New → Confirmed
dino99 (9d9)
description: updated
summary: - Can't drop privileges for downloading : _apt user not created
+ Can't drop privileges for downloading : _apt user not allowed
Changed in dpkg (Ubuntu):
importance: Undecided → Critical
importance: Critical → Medium
Revision history for this message
dino99 (9d9) wrote : Re: Can't drop privileges for downloading : _apt user not allowed

@juliank (#16)

Michael Vogt has a different opinion that yours, so blaming apt again

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808802
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808802#20
"This is a bug indeed, the question is how it got triggered, that dir
should be owend by the _apt user."

oem@u64:~$ ls -dl /var/cache/apt/archives/partial/
drwx------ 2 _apt root 4096 Sep 24 05:26 /var/cache/apt/archives/partial/
oem@u64:~$ grep -B2 _apt /var/lib/dpkg/info/apt.postinst
 # add unprivileged user for the apt methods
 adduser --force-badname --system --home /nonexistent \
     --no-create-home --quiet _apt || true

 # Fixup any mistake in the home directory of the _apt user
 if dpkg --compare-versions "$2" lt-nl 1.1~exp10~; then
     usermod --home /nonexistent _apt

Revision history for this message
dino99 (9d9) wrote :

For the record, an other case has been fixed about _apt sandboxing

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806406

oem@u64:~$ getent passwd
.....
_apt:x:123:65534::/nonexistent:/bin/false

dino99 (9d9)
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

Michael and I don't have any different opinion here at all. You are complaining about root/.synaptic/tmp//tmp_cl - which is owned by synaptics - not about the /var/cache/apt/archives/partial or another apt owned directory.

A directory inside your (well, root's) home directory is a different case altogether: It *should* be owned by you, not by _apt.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
importance: Undecided → Medium
Revision history for this message
chris pollock (cpollock) wrote :

Wow, this is still going on after more than 10 months

/etc/cron.daily/update-notifier-common:
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz [27.2 MB]
Fetched 27.2 MB in 23s (1,179 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz
Flash Plugin installed.

Revision history for this message
Evan Carroll (evancarroll) wrote :

Also getting this, re: @Chris Pollock on the same package which is now required with the deprecation and removal of pepperflash on Oct 26.

Revision history for this message
Pablo Catalina (xkill) wrote :
Download full text (6.5 KiB)

I have similar problem with flashplugin-installer and ttf-mscorefonts-installer packages:

flashplugin-installer: processing...
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20161026.1.orig.tar.gz [27,2 MB]
Fetched 27,2 MB in 25s (1.085 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20161026.1.orig.tar.gz
Flash Plugin installed.
ttf-mscorefonts-installer: processing...
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/andale32.exe
Get:1 http://downloads.sourceforge.net/corefonts/andale32.exe [198 kB]
Fetched 198 kB in 2s (96,3 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arial32.exe
Get:1 http://downloads.sourceforge.net/corefonts/arial32.exe [554 kB]
Fetched 554 kB in 2s (248 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arial32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arialb32.exe
Get:1 http://downloads.sourceforge.net/corefonts/arialb32.exe [168 kB]
Fetched 168 kB in 2s (71,9 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arialb32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/comic32.exe
Get:1 http://downloads.sourceforge.net/corefonts/comic32.exe [246 kB]
Fetched 246 kB in 2s (95,3 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/comic32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/courie32.exe
Get:1 http://downloads.sourceforge.net/corefonts/courie32.exe [646 kB]
Fetched 646 kB in 2s (273 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier...

Read more...

Paul White (paulw2u)
tags: added: zesty
Changed in apt (Debian):
status: Unknown → New
Lorenzo (nakis)
Changed in msttcorefonts (Ubuntu):
status: New → Invalid
no longer affects: msttcorefonts (Ubuntu)
Changed in apt (Debian):
status: New → Fix Committed
dino99 (9d9)
summary: - Can't drop privileges for downloading : _apt user not allowed
+ Needless scary warning: Can't drop privileges for downloading : _apt
+ user not allowed
Changed in apt (Debian):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu):
status: Confirmed → Fix Released
dino99 (9d9)
Changed in apt (Ubuntu):
status: Fix Released → New
summary: - Needless scary warning: Can't drop privileges for downloading : _apt
+ Needless scary warning: Download is performed unsandboxed as root: _apt
user not allowed
no longer affects: dpkg (Ubuntu)
Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu):
status: Confirmed → Fix Released
summary: - Needless scary warning: Download is performed unsandboxed as root: _apt
- user not allowed
+ Warning messages about unsandboxed downloads
Steve Langasek (vorlon)
affects: flashplugin-nonfree (Ubuntu) → update-notifier (Ubuntu)
Changed in update-notifier (Ubuntu):
status: New → Confirmed
Steve Langasek (vorlon)
no longer affects: msttcorefonts (Ubuntu)
Changed in update-notifier (Ubuntu):
status: New → Confirmed
Changed in update-notifier (Ubuntu):
importance: Undecided → Medium
Jeremy Bícha (jbicha)
no longer affects: update-notifier (Ubuntu Xenial)
no longer affects: apt (Ubuntu Xenial)
dino99 (9d9)
Changed in synaptic (Debian):
importance: Unknown → Undecided
status: New → Invalid
Changed in update-notifier (Ubuntu):
status: Confirmed → Incomplete
no longer affects: apt (Ubuntu)
Changed in apt (Ubuntu):
status: New → Fix Released
importance: Undecided → Low
Changed in update-notifier (Ubuntu):
status: Incomplete → Triaged
affects: synaptic (Debian) → synaptic (Ubuntu)
Changed in synaptic (Ubuntu):
status: Invalid → Confirmed
importance: Undecided → Medium
status: Confirmed → Triaged
no longer affects: synaptic (Debian)
Changed in aptitude (Debian):
status: Unknown → Fix Released
Changed in update-notifier (Ubuntu):
assignee: nobody → Julian Andres Klode (juliank)
Changed in aptitude (Ubuntu):
status: New → Fix Released
Changed in update-notifier (Ubuntu):
status: Triaged → Fix Committed
Changed in synaptic (Debian):
status: Unknown → New
Changed in update-notifier (Ubuntu):
status: Fix Committed → Fix Released
57 comments hidden view all 137 comments
Revision history for this message
Rocdufer (lepcis) wrote :

First, recall user _apt was added recently. Second, not all comments appear to have the same original; some ones refer access rights, so some comments suggest change owner or ACL of some directory. However, another comments point out something that appears to be a parsing error over the directory path. For example, in comment #94, the path:

 "W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Keine Berechtigung)"

looks quite extraneous, because it has an empty directory name at "/tmp/ /tmp_cl". The error I got is quite similar, except it says "/tmp/ /tmp_sh", but in my system I later found directory .synaptic/tmp was empty.

For the first problem, I do no see user _apt included in group sudo. And for the second, I remember that while doing a system upgrade I was notified about a change in MIME types. This could be a trace for a parsing error. Hope this comment may help to solve the warning.

Revision history for this message
A (publicface) wrote :
Download full text (10.1 KiB)

As of ubuntu 16.04.3, the problem demonstrated below, still exists. Here is the solution as to how to install it on a clean system. Note carefully, I always use apt-get, not synaptic. Also note that the _apt user already exists.

sudo chown _apt /var/lib/update-notifier/package-data-downloads/partial/
sudo apt-get install ttf-mscorefonts-installer

First, the Broken before chown to demonstrate the issue:
sudo apt-get install ttf-mscorefonts-installer
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  cabextract libmspack0
The following NEW packages will be installed:
  cabextract libmspack0 ttf-mscorefonts-installer
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 87.9 kB of archives.
After this operation, 338 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libmspack0 amd64 0.5-1ubuntu0.16.04.1 [37.0 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 cabextract amd64 1.6-1 [21.4 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu xenial/multiverse amd64 ttf-mscorefonts-installer all 3.4+nmu1ubuntu2 [29.5 kB]
Fetched 87.9 kB in 0s (118 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libmspack0:amd64.
(Reading database ... 241441 files and directories currently installed.)
Preparing to unpack .../libmspack0_0.5-1ubuntu0.16.04.1_amd64.deb ...
Unpacking libmspack0:amd64 (0.5-1ubuntu0.16.04.1) ...
Selecting previously unselected package cabextract.
Preparing to unpack .../cabextract_1.6-1_amd64.deb ...
Unpacking cabextract (1.6-1) ...
Selecting previously unselected package ttf-mscorefonts-installer.
Preparing to unpack .../ttf-mscorefonts-installer_3.4+nmu1ubuntu2_all.deb ...
Unpacking ttf-mscorefonts-installer (3.4+nmu1ubuntu2) ...
Processing triggers for libc-bin (2.23-0ubuntu9) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for fontconfig (2.11.94-0ubuntu1.1) ...
Processing triggers for update-notifier-common (3.168.5) ...
ttf-mscorefonts-installer: processing...
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/andale32.exe
Get:1 http://downloads.sourceforge.net/corefonts/andale32.exe [198 kB]
Fetched 198 kB in 1s (132 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arial32.exe
Get:1 http://downloads.sourceforge.net/corefonts/arial32.exe [554 kB]
Fetched 554 kB in 1s (364 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/arial32.exe' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefonts/arialb32.exe
Get:1 http://downloads.so...

Revision history for this message
Martin Dünkelmann (nc-duenkekl3-deactivatedaccount) wrote :

Ubuntu Mate x64 17.10
Problem still exists...

Revision history for this message
Martin Dünkelmann (nc-duenkekl3-deactivatedaccount) wrote :

@Ads20000

Revision history for this message
Ads20000 (ads20000) wrote :

Still exists in 17.10? You might need to file a new bug, Julian will know what to do here I presume, since he pushed the fix...

Revision history for this message
Steve Langasek (vorlon) wrote :

On a system upgraded to 17.10, I see the correct permissions:

drwx------ 2 _apt root 4096 Nov 1 00:10 /var/lib/update-notifier/package-data-downloads/partial/

Martin, are you seeing this also or do you see something different?

Revision history for this message
Julian Andres Klode (juliank) wrote :

I'd say it's probably the synaptic one for Martin. We should change its directory to be _apt owned too, though it's not really clear to me which directories that are.

This should all be fixed in a hopefully near future with apt 1.6 or 1.7 opening these files as root and passing them down to the unprivileged processes via a socket. That's not yet implemented, though I do have mvo's branch from 2013 or so as a base.

Revision history for this message
Norbert (nrbrtx) wrote :

Got this bug again on fresh installation of kUbuntu 16.04 LTS during installation of kubuntu-restricted-extras (especially fonts).

Revision history for this message
Chelmite (steve-kelem) wrote :

I'm getting this error on Ubuntu 17.10:
W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

I have a user _apt, and it owns /var/lib/update-notifier/package-data-downloads/partial/

It looks like the problems are 2-fold:
1. The double-slash in '/root/.synaptic/tmp//tmp_cl' is equivalent to /tmp_cl, isn't it? That doesn't exist, and probably shouldn't. The double-slash should probably be a single slash.
2. Why is _apt supposed to be able to access anything in /root? If /root/.synaptic/tmp is a special case, then somebody or some program needs to change its ownership. Right now it's:
drwx------ 2 root root /root/.synaptic/tmp

Revision history for this message
Adrien Beau (adrienbeau) wrote :

@Chelmite The double slash is equivalent to a single slash, so there is not much of a problem here, just a very minor cosmetic issue. Synaptic is certainly the one who told APT to download stuff in /root/.synaptic/tmp, so it is the one which should have changed the ownership to _apt beforehand. You can easily fix that yourself.

Revision history for this message
JohnWashington (ubuntu-johnwash) wrote :

@Adrien
I was happy until "You can easily fix that yourself". For every Launchpad reader that can, there's 100s who can't. And many thousands who don't even know Launchpad exists.

Revision history for this message
Martin Dünkelmann (nc-duenkekl3-deactivatedaccount) wrote :

Definitely.
This bug is a fault from the synaptic-, apt- or OS- developers....

Revision history for this message
Norbert (nrbrtx) wrote :

Got this bug while installing ttf-mscorefonts-installer?

385 users are affected.
How long?
Is it so difficult to fix this bug?

Paul White (paulw2u)
tags: added: artful bionic
removed: yakkety
tags: removed: zesty
description: updated
Changed in synaptic (Ubuntu):
importance: Medium → Low
Revision history for this message
Ads20000 (ads20000) wrote :

Norbert, making comments on bugs attacking developers for not doing enough to fix the bug just annoys the developers, it doesn't help fix the bug. Either take more proactive action as necessary (I don't know what's needed at the moment) or be patient. Also check the readme at the start of the description, it's cosmetic so it's Low priority by definition, you can't change that unless if you fight elsewhere to change the Importance descriptors.

Revision history for this message
Norbert (nrbrtx) wrote :

OK, Ads20000. This bug is annoying. Nothing more. Yesterday another newbie installed Ubuntu 16.04 LTS after my recommendation. He was very dissapointed seeing this message.

Ubuntu developers should understand that annoying bugs should be fixed as fast as possible as Critical bugs. It does not matter that such bugs do not result in data loss. Such bugs makes negative reputation of whole Ubuntu. So they should be fixed.

description: updated
Adrien Beau (adrienbeau)
description: updated
Revision history for this message
Adrien Beau (adrienbeau) wrote :

Norbert, it is *extremely* inappropriate to edit the bug description to publicize your workaround. Adding instructions to set the sandbox user to "root" at the start of the bug description is quite simply awful.

I have reverted that change.

Revision history for this message
Norbert (nrbrtx) wrote :

@Adrien Beau (adrienbeau)
you can propose your fix anywhere where you want.
All APT works as root, there is not security hole here. We can trust its HTTP transport.

By the way Ubuntu developers should understand that annoying bugs should be fixed as fast as possible as Critical bugs. It does not matter that such bugs do not result in data loss. Such bugs makes negative reputation of whole Ubuntu. So they should be fixed.

Revision history for this message
Norbert (nrbrtx) wrote :

Techinal part about my fix is in https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/1522675/comments/85 .
Do APT/Ubuntu/Debian/Canonical have any comments on it?

description: updated
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

Uploaded update-notifier to xenial-proposed.

no longer affects: apt (Ubuntu Xenial)
Changed in update-notifier (Ubuntu Xenial):
assignee: nobody → Julian Andres Klode (juliank)
importance: Undecided → Medium
status: New → Fix Committed
status: Fix Committed → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello dino99, or anyone else affected,

Accepted update-notifier into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-notifier/3.168.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in update-notifier (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Norbert (nrbrtx) wrote :

Installed update-notifier 3.168.8 from xenial-proposed.

I do not get any "W: Can't drop privileges for downloading" during execution of

$ sudo apt-get install --reinstall flashplugin-installer ttf-mscorefonts-installer

But aptitude is still complains when getting changelogs from terminal `aptitude changelog apt` or interactively by <C> (see bug https://bugs.launchpad.net/bugs/1752907 ).

Thank you!

If others know other ways to test, please do it.

Revision history for this message
dino99 (9d9) wrote :

Hopes someone will do the change too for synaptic, which display that error only the first upgrade is done.

Revision history for this message
Brian Murray (brian-murray) wrote :

bdmurray@clean-xenial-amd64:~$ apt-cache policy update-notifier
update-notifier:
  Installed: 3.168.1
  Candidate: 3.168.7
  Version table:
     3.168.7 500
        500 http://192.168.10.7/ubuntu xenial-updates/main amd64 Packages
        500 http://192.168.10.7/ubuntu xenial-security/main amd64 Packages
 *** 3.168.1 100
        100 /var/lib/dpkg/status
     3.168 500
        500 http://192.168.10.7/ubuntu xenial/main amd64 Packages
bdmurray@clean-xenial-amd64:~$ sudo apt install flashplugin-installer
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libpango1.0-0 libpangox-1.0-0
Suggested packages:
  x-ttcidfont-conf ttf-mscorefonts-installer ttf-bitstream-vera | ttf-dejavu ttf-xfree86-nonfree xfs
The following NEW packages will be installed:
  flashplugin-installer libpango1.0-0 libpangox-1.0-0
0 upgraded, 3 newly installed, 0 to remove and 556 not upgraded.
Need to get 6,798 B/51.9 kB of archives.
After this operation, 445 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
...
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20180206.1.orig.tar.gz
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20180206.1.orig.tar.gz [30.5 MB]
Fetched 30.5 MB in 5s (5,929 kB/s)
W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20180206.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20180206.1.orig.tar.gz

With the version from -proposed:

Setting up update-notifier-common (3.168.8) ...
flashplugin-installer: processing...
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20180206.1.orig.tar.gz
Get:1 http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_20180206.1.orig.tar.gz [30.5 MB]
Fetched 30.5 MB in 8s (3,434 kB/s)
Installing from local file /var/lib/update-notifier/package-data-downloads/partial/adobe-flashplugin_20180206.1.orig.tar.gz
Flash Plugin installed.
Setting up libcairo-perl (1.106-1build1) ...

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Ads20000 (ads20000) wrote :

Updated the other tag too, think that's the right thing to do? Please revert if not!

tags: added: verification-done
removed: verification-needed
Mathew Hodson (mhodson)
Changed in synaptic (Ubuntu Xenial):
importance: Undecided → Low
Changed in aptitude (Ubuntu):
importance: Undecided → Low
Changed in aptitude (Ubuntu Xenial):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in aptitude (Ubuntu Xenial):
status: New → Confirmed
Changed in synaptic (Ubuntu Xenial):
status: New → Confirmed
1 comments hidden view all 137 comments
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-notifier - 3.168.8

---------------
update-notifier (3.168.8) xenial; urgency=medium

  * Fix APT sandboxing for data downloads failing (LP: #1522675)

 -- Julian Andres Klode <email address hidden> Fri, 02 Mar 2018 12:27:35 +0100

Changed in update-notifier (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for update-notifier has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
htrex (hantarex) wrote :

I'm seeing the following message on Synaptic 0.84.3 running on Ubuntu 18.04.1

W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

this is the directory listing on my host:

root@OrionXPS:~/.synaptic/tmp# ls -la
total 8
drwx------ 2 root root 4096 set 28 12:38 .
drwx------ 4 root root 4096 set 28 12:38 ..

Steve Langasek (vorlon)
tags: removed: regression-update
Revision history for this message
Norbert (nrbrtx) wrote :

One AskUbuntu user got error a about sandboxing and _apt user (see https://askubuntu.com/q/1082648/66509 ):

"Download is performed unsandboxed as root as file '/home/jim/Downloads/rainlendar2-lite_2.14.2.b157-1_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)"

see full output below:

jim@jim-Z1-7623:~/Downloads$ sudo apt-get install ./rainlendar2-lite_2.14.2.b157-1_amd64.deb
[sudo] password for jim:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'rainlendar2-lite' instead of './rainlendar2-lite_2.14.2.b157-1_amd64.deb'
The following NEW packages will be installed:
  rainlendar2-lite
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 0 B/17.9 MB of archives.
After this operation, 20.5 MB of additional disk space will be used.
Get:1 /home/jim/Downloads/rainlendar2-lite_2.14.2.b157-1_amd64.deb rainlendar2-lite amd64 2.14.2.b157-1 [17.9 MB]
Selecting previously unselected package rainlendar2-lite.
(Reading database ... 180109 files and directories currently installed.)
Preparing to unpack .../rainlendar2-lite_2.14.2.b157-1_amd64.deb ...
Unpacking rainlendar2-lite (2.14.2.b157-1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.1) ...
Setting up rainlendar2-lite (2.14.2.b157-1) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1.1) ...
N: Download is performed unsandboxed as root as file '/home/jim/Downloads/rainlendar2-lite_2.14.2.b157-1_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Revision history for this message
Martin Dünkelmann (nc-duenkekl3-deactivatedaccount) wrote :

Vormals nicht ausgewähltes Paket xul-ext-lightning wird gewählt.
(Lese Datenbank ... 360184 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../xul-ext-lightning_1%3a60.2.1+build1-0ubuntu0.18.04.2_amd64.deb ...
Entpacken von xul-ext-lightning (1:60.2.1+build1-0ubuntu0.18.04.2) ...
xul-ext-lightning (1:60.2.1+build1-0ubuntu0.18.04.2) wird eingerichtet ...
W: Der Download wird als root und nicht Sandbox-geschützt durchgeführt, da auf die Datei »/root/.synaptic/tmp//tmp_cl« durch den Benutzer »_apt« nicht zugegriffen werden kann. - pkgAcquire::Run (13: Keine Berechtigung)

Ubuntu 18.04 -> Linux Mint 19.0 x64 Cinnamon

Revision history for this message
Martin Dünkelmann (nc-duenkekl3-deactivatedaccount) wrote :

W: Der Download wird als root und nicht Sandbox-geschützt durchgeführt, da auf die Datei »/root/.synaptic/tmp//tmp_cl« durch den Benutzer »_apt« nicht zugegriffen werden kann. - pkgAcquire::Run (13: Keine Berechtigung)

Revision history for this message
mikefreeman (mike-freeman-studio) wrote :

I'm also seeing the "W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_sh' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)" error. This is actually a fairly new thing, within the last few weeks. I'm on Linux Mint 19.2 (based on Ubuntu 18.04). Is there a fix yet?

Revision history for this message
Q. Haas (qhaas) wrote :

Seeing this in the Ubuntu 18.04 ppc64le docker image when doing an `apt-get install -y /root/MY_DEB_FILE.deb`, appears harmless, and doesn't occur if I move the deb to /tmp before installing.

Revision history for this message
ramas (slocascio) wrote :

It is possible to remove the "cosmetic issue" expression? It is a subjective statement.

Revision history for this message
Julian Andres Klode (juliank) wrote :

It's not really. I've reworded it so that it's more clear. It's important to realize that this is not a regression in functionality, it works the same way as before, you just get a warning because new security features (which are arguably fairly incomplete) could not be used.

description: updated
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hey, still hitting this in a Hirsute VM :/

Revision history for this message
Chaim Eliyah (chaimeliyah) wrote :

This showed up on Ubuntu 21.04. Regression?

Norbert (nrbrtx)
tags: added: focal hirsute impish
removed: artful
Revision history for this message
Brian Murray (brian-murray) wrote :

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Changed in synaptic (Ubuntu Hirsute):
status: Triaged → Won't Fix
Norbert (nrbrtx)
tags: added: jammy
removed: hirsute
Revision history for this message
Rovano (rovano) wrote (last edit ):

on Jammy 22.04.02 if installing via Synaptic

W: Download is performed unsandboxed as root as file '/root/.synaptic/tmp//tmp_cl' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Its not first error by Synaptic on U22.04.

Change permission and owner no help.

I use CLI apt instead.

Displaying first 40 and last 40 comments. View all 137 comments or add a comment.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.